I’m interested in hearing what others do when, in a given application, some pages need to be secure and others don’t. Take any solution off the table that requires a separate domain/subdomain. In this case, all calls, secure or insecure, will link to the same domain. I see a few options:

1. The ham-fisted, just secure it all approach.
2. A URI rewrite solution that ensure the pages that need to be secure are accessed via the https protocol and either ignores other pages or, alternatively, forces those to standard http
3. An application-centric approach where each link is responsible for knowing whether it’s pointing and applying the correct protocol. In this solution, all links would have to be fully qualified.
4. A laissez-fair version of the application-centric approach where links to secure pages are fully qualified and links to other pages are not. In this case, the protocol would be inherited for pages not handled explicitly and inconsequential pages may be accessed via https.

I’ve used several of these from time to time, but they all have drawbacks. What’s everyone else doing in these situations? Is there another path I haven’t considered?

UPDATE:

vartec’s answer below made me realize that I’d left out one critical piece of information. In my network config, all SSL-handling is taken care of at the load balancer level. The LB, then, communicates with the web server cluster via port 80. As a result, the applications themselves have no idea whether traffic arrived securely. All they see is a port 80 connection.

Thanks.