If a user passes an http:// url to the SaferMatcher, their username/password or API key will be sent in the clear. Adding a check to ensure they're using an https:// url would prevent them from accidentally sending credentials over the network in clear-text.

(I'd happily open a PR)

@nuchi great catch. If you could send a PR that would be amazing. Thanks for the contribution :)