To benefit the community, summarizing the answer here; from comments (above).
HttpsOnly will only impact HTTP request (App Service Load Balancer will redirect HTTP to HTTPs).
If the incoming is already HTTPs – then no-op. You mentioned the call is always HTTPs – so HTTPsOnly should not matter.
From the investigations - it seems to be a combination of POSTMAN and your code issue. When you redirect /users to /users/ - it always redirect to HTTP regardless of incoming http or https. You may try to change the code when redirect /users to /users/ to preserve HTTP/HTTPS incoming scheme (http -> http, https -> https).
- (mentioned in the private comment):
"
thanks for the response, it has led me to the answer I required.
I was using the prefix parameter of the APIRouter class as per https://fastapi.tiangolo.com/tutorial/bigger-applications/#apirouter. It appears that this was responsible for the 307 redirect on HTTP.
I'm still using that class but now without the prefix parameter. If I find that I require that in the future I have found this article to assist with that
https://stackoverflow.com/questions/63511413/fastapi-redirection-for-trailing-slash-returns-non-ssl-link
"
Thanks again @Tom Burgess for your patience and cooperation!