HTTP referral links returned on project creation with API via HTTPS

Summary

Links returned as _links in a response to a project creation via an API use HTTP protocol even if the API itself was called via HTTPS. It can lead to unsafe connections if the links are used automatically by automated tools.

Steps to reproduce

Request:

curl --header "PRIVATE-TOKEN: XXX" -X POST "https://gitlab.com/api/v4/projects?name=test1&namespace_id=YYY"

Response:

{
  "id": ZZZ,
  "description": null,
  "default_branch": null,
  "tag_list": [],
  "ssh_url_to_repo": "git@gitlab.com:MyNamespace/test1.git",
  "http_url_to_repo": "https://gitlab.com/MyNamespace/test1.git",
  "web_url": "https://gitlab.com/MyNamespace/test1",
  "name": "test1",
(...)
  "_links": {
    "self": "http://gitlab.com/api/v4/projects/ZZZ",  <-- all HTTP
    "issues": "http://gitlab.com/api/v4/projects/ZZZ/issues",
    "merge_requests": "http://gitlab.com/api/v4/projects/ZZZ/merge_requests",
    "repo_branches": "http://gitlab.com/api/v4/projects/ZZZ/repository/branches",
    "labels": "http://gitlab.com/api/v4/projects/ZZZ/labels",
    "events": "http://gitlab.com/api/v4/projects/ZZZ/events",
    "members": "http://gitlab.com/api/v4/projects/ZZZ/members"
  },
(...)

What is the current bug behavior?

HTTP is used in the links returned in the _links array.

On the other hand http_url_to_repo and web_url correctly point to HTTPS.

What is the expected correct behavior?

All links returned in the response should use the same protocol as the one use to connect via API.

Additional notes

Tested with the gitlab.com API. However, there is a high chance it's a general problem and therefore reported for gitlab-ce.