Not as far as I know, but as @dirk_s said I would force to always use https. As for the force refresh part - I encountered this issue some time ago with the login page. I solved this in a way that I always forced login page refresh and so CSRF token was regenerated.