diff --git a/Network/Wai/Handler/WarpTLS.hs b/Network/Wai/Handler/WarpTLS.hs
--- a/Network/Wai/Handler/WarpTLS.hs
+++ b/Network/Wai/Handler/WarpTLS.hs
@@ -1,9 +1,17 @@
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE RankNTypes #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE DeriveDataTypeable #-}
 module Network.Wai.Handler.WarpTLS
-    ( TLSSettings (..)
+    ( TLSSettings
+    , certFile
+    , keyFile
+    , onInsecure
+    , OnInsecure (..)
+    , tlsSettings
     , runTLS
     , runTLSSocket
+    , WarpTLSException (..)
     ) where
 
 import qualified Network.TLS as TLS
@@ -28,16 +36,44 @@
 import qualified Data.IORef as I
 import Control.Monad (unless)
 import Crypto.Random.API (getSystemRandomGen)
+import Control.Exception (Exception, throwIO)
+import Data.Typeable (Typeable)
 
 data TLSSettings = TLSSettings
     { certFile :: FilePath
+      -- ^ File containing the certificate.
     , keyFile :: FilePath
+      -- ^ File containing the key
+    , onInsecure :: OnInsecure
+      -- ^ Do we allow insecure connections with this server as well? Default
+      -- is a simple text response stating that a secure connection is required.
+      --
+      -- Since 1.4.0
+    , tlsLogging :: TLS.Logging
+      -- ^ The level of logging to turn on.
+      --
+      -- Default: 'TLS.defaultLogging'.
+      --
+      -- Since 1.4.0
     }
 
+data OnInsecure = DenyInsecure L.ByteString
+                | AllowInsecure
+
+tlsSettings :: FilePath -- ^ Certificate file
+            -> FilePath -- ^ key file
+            -> TLSSettings
+tlsSettings cert key = TLSSettings
+    { certFile = cert
+    , keyFile = key
+    , onInsecure = DenyInsecure "This server only accepts secure HTTPS connections."
+    , tlsLogging = TLS.defaultLogging
+    }
+
 runTLSSocket :: TLSSettings -> Settings -> Socket -> Application -> IO ()
-runTLSSocket tset set sock app = do
-    certs   <- readCertificates $ certFile tset
-    pk      <- readPrivateKey $ keyFile tset
+runTLSSocket TLSSettings {..} set sock app = do
+    certs   <- readCertificates certFile
+    pk      <- readPrivateKey keyFile
     let params =
             TLS.updateServerParams
                 (\sp -> sp { TLS.serverWantClientCert = False }) $
@@ -45,6 +81,7 @@
             { TLS.pAllowedVersions = [TLS.SSL3,TLS.TLS10,TLS.TLS11,TLS.TLS12]
             , TLS.pCiphers         = ciphers
             , TLS.pCertificates    = zip certs $ (Just pk):repeat Nothing
+            , TLS.pLogging         = tlsLogging
             }
     runSettingsConnectionMaker set (getter params) app
   where
@@ -84,12 +121,25 @@
                             , connRecv = TLS.recvData ctx
                             }
                     return conn
-                else do
-                    let conn = (socketConnection s)
-                            { connRecv = getNext $ fmap (fromMaybe B.empty) C.await
-                            }
-                    return conn
+                else
+                    case onInsecure of
+                        AllowInsecure ->
+                            let conn = (socketConnection s)
+                                    { connRecv = getNext $ fmap (fromMaybe B.empty) C.await
+                                    }
+                             in return conn
+                        DenyInsecure lbs -> do
+                            let src = do
+                                    C.yield "HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\n\r\n"
+                                    mapM_ C.yield $ L.toChunks lbs
+                            src C.$$ sinkSocket s
+                            sClose s
+                            throwIO InsecureConnectionDenied
         return (mkConn, sa)
+
+data WarpTLSException = InsecureConnectionDenied
+    deriving (Show, Typeable)
+instance Exception WarpTLSException
 
 runTLS :: TLSSettings -> Settings -> Application -> IO ()
 runTLS tset set app =
diff --git a/warp-tls.cabal b/warp-tls.cabal
--- a/warp-tls.cabal
+++ b/warp-tls.cabal
@@ -1,5 +1,5 @@
 Name:                warp-tls
-Version:             1.3.5.1
+Version:             1.4.0
 Synopsis:            SSL support for Warp via the TLS package
 License:             MIT
 License-file:        LICENSE
@@ -15,7 +15,7 @@
 Library
   Build-Depends:     base                          >= 4        && < 5
                    , bytestring                    >= 0.9
-                   , wai                           >= 1.3      && < 1.4
+                   , wai                           >= 1.3      && < 1.5
                    , warp                          >= 1.3.5    && < 1.4
                    , transformers                  >= 0.2
                    , conduit                       >= 0.5      && < 1.1
