Gitlab HTTP Permission enforcement

I am a little confused by how Gitlab enforces permissions via HTTP. I host my own gitlab repo for my personal projects and don’t want to buy a signed ssl cert. Someone has been trying to brute force my ssh server so I am disabling public ssh access at this time. I need to be able to access my code repository via HTTP, but I would still like to enforce permissions. It would appear that anyone who has my domain, username, and project name can push to my repository.
i.e. if you know about the gitlab url then you can view, pull, push, revert, etc with impunity.

How does gitlab enforce read/write permissions when accessing a repository via http? I remember using gitlab in the past and it used to ask for your gitlab username and password via HTTP, but it doesn’t seem to do that any more.