+ <!-- Require HTTPS for everything except /img (favicon) and /css. -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>HTTPSOnly</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>HTTPSOrHTTP</web-resource-name>
+ <url-pattern>*.ico</url-pattern>
+ <url-pattern>/img/*</url-pattern>
+ <url-pattern>/css/*</url-pattern>
+ </web-resource-collection>
+ <user-data-constraint>
+ <transport-guarantee>NONE</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+