I am not an expert by any means, but I can see one problem: you
are serving the login page over http and not https. This
potentially exposes any of the form data to sniffing.
Compare to my site:
I am not sure I would agree with your "security checking site"
either. Qualys gives you an "A" SSL report:
AFAIK, Qualys ONLY checks an https connection.
Your server has both http and https open. My SurgeWeb server runs
behind an Apache proxy where I have set up a redirect to force
http to https. (Try http:/secure.eton.ca/surgeweb to see it
There should be SurgeMail settings that will force logins over
https, but NetWin can give you those. (My proxy setup means I
don't need to use or know them.)
On 2017-04-13 12:15 AM, Frank Bulk