diff --git a/README.rst b/README.rst
index 84f4799..05f82be 100644
--- a/README.rst
+++ b/README.rst
@@ -9,13 +9,14 @@ Settings
 
 The following settings should be placed in *settings.py*.
 
-===========================  ==============================================================
+===========================  ================================================================
 Setting                      Value
-===========================  ==============================================================
+===========================  ================================================================
+GOOGLEAUTH_SECURE            callback URL is HTTPS (your side, not Google), default True
 GOOGLEAUTH_CLIENT_ID         client ID from the Google Developer Console
 GOOGLEAUTH_CLIENT_SECRET     client secret from the Google Developer Console
 GOOGLEAUTH_IS_STAFF          sets value of user.is_staff for new users, default False
 GOOGLEAUTH_GROUPS            list of default group names to assign to new users
 GOOGLEAUTH_DOMAIN            the app's domain, used to construct callback URLs
 GOOGLEAUTH_DOMAIN_ONLY       True if only emails from the domain are allowed, default False
-===========================  ==============================================================
\ No newline at end of file
+===========================  ================================================================
\ No newline at end of file
diff --git a/googleauth/util.py b/googleauth/util.py
deleted file mode 100644
index 19090da..0000000
--- a/googleauth/util.py
+++ /dev/null
@@ -1,15 +0,0 @@
-import random
-from django.conf import settings
-from django.core.urlresolvers import reverse
-
-CSRF_CHARACTERS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
-
-
-def generate_csrf_token():
-    return ''.join(random.choice(CSRF_CHARACTERS) for x in xrange(32))
-
-
-def generate_redirect_uri():
-    domain = getattr(settings, 'GOOGLEAUTH_DOMAIN', None)
-    path = reverse('googleauth_callback')
-    return 'https://%s%s' % (domain, path)
diff --git a/googleauth/views.py b/googleauth/views.py
index b66dfce..519105b 100644
--- a/googleauth/views.py
+++ b/googleauth/views.py
@@ -7,8 +7,6 @@
 from django.contrib.auth.views import logout as django_logout
 from django.http import HttpResponse, HttpResponseRedirect
 
-from .util import generate_csrf_token, generate_redirect_uri
-
 GOOGLE_AUTH_ENDPOINT = 'https://accounts.google.com/o/oauth2/auth'
 GOOGLE_TOKEN_ENDPOINT = 'https://accounts.google.com/o/oauth2/token'
 GOOGLE_USERINFO_ENDPOINT = 'https://www.googleapis.com/plus/v1/people/me/openIdConnect'
@@ -17,7 +15,35 @@
 CLIENT_SECRET = getattr(settings, 'GOOGLEAUTH_CLIENT_SECRET', None)
 DOMAIN = getattr(settings, 'GOOGLEAUTH_DOMAIN', None)
 DOMAIN_ONLY = getattr(settings, 'GOOGLEAUTH_DOMAIN_ONLY', False)
+SECURE = getattr(settings, 'GOOGLEAUTH_SECURE', True)
+
+
+import random
+from django.conf import settings
+from django.core.urlresolvers import reverse
+
+CSRF_CHARACTERS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
+
+
+#
+# utility methods
+#
+
+def generate_csrf_token():
+    return ''.join(random.choice(CSRF_CHARACTERS) for x in xrange(32))
+
+
+def generate_redirect_uri():
+    scheme = 'https' if SECURE else 'http'
+    domain = DOMAIN
+    path = reverse('googleauth_callback')
+    return '%s://%s%s' % (scheme, domain, path)
+
+
 
+#
+# the views
+#
 
 def login(request):