I’ve just checked in a change that allows to configure access and authentication requirements of Ajax calls on method level. That means it is possible to restrict single methods of an Ajax controler to HTTPS, or require to be registered.

The second would then allow to use the sessions account details rather than an accountId from the URL. That way it would be ensured that users can’t access other users data.