It’s quite common for secure pages to be indexed, however they’re generally just duplicate versions of the non-secure pages, unless you’re using the https protocol across your website. The best ways around this is to either canonicalise https pages to the http equivalent or add a robots.txt file to the https version of the website and disallow certain pages or all.