Currently, there is a setting force_ssl_login that forces the login details to be submitted over https.
However, since the token_auth is confidential, and sometimes passed in URLs (API requests, ajax requests done in the admin screens, etc.) it is desired to have a setting that would ensure that Piwik can ONLY be used over SSL.
(In ) Fixes #2918
Updated the guide Security analytics and the faq How do I force Piwik to use SSL (https) for improved security?