I am running gitea with DISABLE_HTTP_GIT as I want to restrict access to SSH only. For one of my repositories I am experimenting with Git LFS. I was surprised that the blobs of the large files are downloaded via https even though I have disabled HTTPS access by setting in app.ini
[repository] DISABLE_HTTP_GIT = true.
Doesn’t this open security holes and allowing others to download blobs when given an URL? How are these HTTPS requests secured? Is there any authentication happening?