Web API with SSL configured allows non-secure GET

The scenario is as follows: I have a Web API application made in ASP.NET Core 2.0 configured to only use secure connection. I'm using Postman to test the requests.

If I try to do POST, PUT, and DELETE requests using the non-secure (HTTP) address, it returns me the status 403, as it should be. However, GET requests are passing.

I am a layperson on this issue of secure communication, so I do not know if this would be normal behavior (although in my head, it does not make sense).

SSL configuration is done this way:

certificate.json:

{
 "certificateSettings": {
"fileName": "nomedocertificado.pfx",
"password": "senha"

} }

Program.cs:

public static IWebHost BuildWebHost(string[] args)
    {
        var config = new ConfigurationBuilder()
        .SetBasePath(Directory.GetCurrentDirectory())
        .AddEnvironmentVariables()
        .AddJsonFile("certificate.json", optional: true, reloadOnChange: true)
        .AddJsonFile($"certificate.{Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT")}.json", optional: true, reloadOnChange: true)
        .Build();

        var certificateSettings = config.GetSection("certificateSettings");
        string certificateFileName = certificateSettings.GetValue<string>("filename");
        string certificatePassword = certificateSettings.GetValue<string>("password");

        var certificate = new X509Certificate2(certificateFileName, certificatePassword);

        return WebHost.CreateDefaultBuilder(args)
            .UseKestrel(
                options =>
                {
                    options.AddServerHeader = false;
                    options.Listen(IPAddress.Loopback, 44312, listenOptions =>
                    {
                        listenOptions.UseHttps(certificate);
                    });
                }
            )
            .UseConfiguration(config)
            .UseStartup<Startup>()
            .Build();
    }

Startup.cs:

public void ConfigureServices(IServiceCollection services)
    {
        ...
        services.Configure<MvcOptions>(options =>
        {
            options.Filters.Add(new RequireHttpsAttribute());
        });
        services.AddAntiforgery(
            options =>
            {
                options.Cookie.Name = "_af";
                options.Cookie.HttpOnly = true;
                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
                options.HeaderName = "X-XSRF-TOKEN";
            }
        );

The application is in IIS 10, it is an application below a website whose certificate configured in certificate.json is attached to port 443. There is a copy of the certificate at the root of the project as well (although I do not know if this is required) .

All HTTPS requests work perfectly.

I imagine it to be something stupid, I just could not find, in researching what I did, something that could point me to what it is.

Thank you.