diff --git a/doc/06-config.md b/doc/06-config.md
index f6c2da532..f231bcb47 100644
--- a/doc/06-config.md
+++ b/doc/06-config.md
@@ -53,6 +53,13 @@ instead and no network level encryption is performed. Enabling this is a
 security risk and is NOT recommended. The better way is to enable the
 php_openssl extension in php.ini.
 
+## secure-http
+
+Defaults to `true`. If set to true only HTTPS URLs are allowed to be
+downloaded via Composer. If you really absolutely need HTTP access to something
+then you can disable it, but using [Let's Encrypt](https://letsencrypt.org/) to
+get a free SSL certificate is generally a better alternative.
+
 ## cafile
 
 Location of Certificate Authority file on local filesystem. In PHP 5.6+ you
diff --git a/src/Composer/Util/RemoteFilesystem.php b/src/Composer/Util/RemoteFilesystem.php
index f61b2a2b0..e5ea5c2b4 100644
--- a/src/Composer/Util/RemoteFilesystem.php
+++ b/src/Composer/Util/RemoteFilesystem.php
@@ -255,17 +255,18 @@ class RemoteFilesystem
         }
 
         // Check for secure HTTP
-        if (($this->scheme === 'http' || substr($fileUrl, 0, 5) === 'http:')
+        if (
+            ($this->scheme === 'http' || substr($fileUrl, 0, 5) === 'http:')
             && $this->config && $this->config->get('secure-http')
         ) {
-            // Rewrite unsecure Packagist urls to use https
-            if (substr($fileUrl, 0, 21) === 'http://packagist.org/') {
-                $fileUrl = 'https://packagist.org/' . substr($fileUrl, 21);
-            } else {
-                throw new TransportException(
-                    sprintf('Your configuration does not allow connection to %s://%s. Enable http connections in your configuration by setting secure-http=false',
-                        $this->scheme, $originUrl
-                    ));
+            // Passthru unsecure Packagist calls to $hashed providers as file integrity is verified with sha256
+            if (substr($fileUrl, 0, 23) !== 'http://packagist.org/p/' || (false === strpos($fileUrl, '$') && false === strpos($fileUrl, '%24'))) {
+                // other URLs must fail hard
+                throw new TransportException(sprintf(
+                    'Your configuration does not allow connection to %s://%s. See https://getcomposer.org/doc/06-config.md#secure-http for details.',
+                    $this->scheme,
+                    $originUrl
+                ));
             }
         }