Web API w/ SSL allows non-secure GET requests

The scenario: I have a .NET Core 2.0 Web API app configure to use only secure connections. I'm using Postman to test the requests.

If I try to POST, PUT or DELETE using non-secure URL (HTTP), it returns status 403 (as it should be). However, it accepts GET requests via HTTP.

I'm really an amateur regarding SSL usage, so I don't know if it should be the common behavior (although, I my head, it doesn't make any sense).

The SSL configuration in Web API is done as the following:

certificate.json:

{
 "certificateSettings": {
    "fileName": "filename.pfx",
    "password": "password"
  }
}

Program.cs:

public static IWebHost BuildWebHost(string[] args)
    {
        var config = new ConfigurationBuilder()
        .SetBasePath(Directory.GetCurrentDirectory())
        .AddEnvironmentVariables()
        .AddJsonFile("certificate.json", optional: true, reloadOnChange: true)
        .AddJsonFile($"certificate.{Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT")}.json", optional: true, reloadOnChange: true)
        .Build();

        var certificateSettings = config.GetSection("certificateSettings");
        string certificateFileName = certificateSettings.GetValue<string>("filename");
        string certificatePassword = certificateSettings.GetValue<string>("password");

        var certificate = new X509Certificate2(certificateFileName, certificatePassword);

        return WebHost.CreateDefaultBuilder(args)
            .UseKestrel(
                options =>
                {
                    options.AddServerHeader = false;
                    options.Listen(IPAddress.Loopback, 44312, listenOptions =>
                    {
                        listenOptions.UseHttps(certificate);
                    });
                }
            )
            .UseConfiguration(config)
            .UseStartup<Startup>()
            .Build();
    }

Startup.cs:

public void ConfigureServices(IServiceCollection services)
    {
        ...
        services.Configure<MvcOptions>(options =>
        {
            options.Filters.Add(new RequireHttpsAttribute());
        });
        services.AddAntiforgery(
            options =>
            {
                options.Cookie.Name = "_af";
                options.Cookie.HttpOnly = true;
                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
                options.HeaderName = "X-XSRF-TOKEN";
            }
        );

The app is hosted in IIS 10. It's an sub-Application, inside a Website, and this Website has the certificate I'm using bound in port 443. There's a copy of this certificate in the root of the application (although I don't know if this is needed).

All HTTPS requests work like a charm.

I believe it's something silly, I just couldn't figure it out. My web searches came to nothing.

Thanks in advance.