Forbid non-HTTP/HTTPS URLs for requests and do not allow redirect to such URLs

[julik]

I think this is going to be a good security-minded check (see the imgur SSRF drama, which involved leading curl to a non-authorised URL by doing a remote-fetch-by-proxy).

[julik]

According to CURL devs this is not detectable, so I think I'll just go and enable it. If people are running curl that is older they are exposing themselves to vulnerabilities. Also we should document the minimum supported curl in the README

[toland]

LGTM. I have been traveling the last few days, thanks for following up on this.