disable basic-auth on https redirects?

[alicebob]

Hi,

I got a virtual host which uses both basic-auth and tls:

metadata:
  annotations:
    haproxy.org/auth-type: basic-auth
    haproxy.org/auth-secret: default/haproxy-basic-auth
[...]
spec:
  ingressClassName: "haproxy"
  tls:
  - hosts:
    - my.domain.example.com
[...]

now when I curl http://my.domain.example.com (note that's "http", not "https") I get the 401 permission denied error. I would expect that the only thing the http version does is redirect to https, and never asks for a password (since that's insecure). Would that make sense?
strict-transport-security might or might not fix this, but it will not help for the first visit.

Thoughts?