Hello,
The site currently uses HTTPS only if the user enters it into their browser, even then clicking around the site falls back to HTTP. This allows people to steal cookies/passwords on public networks.
Solution, enforce HTTPS.
Since the site is behind a CDN, you can use their configuration...