LFS authentication with DISABLE_HTTP_GIT

Hi there,

I am running gitea with DISABLE_HTTP_GIT as I want to restrict access to SSH only. For one of my repositories I am experimenting with Git LFS. I was surprised that the blobs of the large files are downloaded via https even though I have disabled HTTPS access by setting in app.ini [repository] DISABLE_HTTP_GIT = true.

Doesn’t this open security holes and allowing others to download blobs when given an URL? How are these HTTPS requests secured? Is there any authentication happening?

Best regards,