[JSS]

I just noticed that all the built-in profile pictures are http and not https links.

Not exactly a world-shattering security hole, but something to fix if it's just editing a script or config line somewhere.

That would keep web browsers from complaining your site is insecure, which likely drives off a small number of people.

[xasop]

It wouldn't keep browsers from complaining about that because plenty of people just link external avatars anyway. We'd need to have SMF copy external avatars so they can be hosted over HTTPS, and I'm not sure if that work is entirely worth it given it's only GET requests for images. Browsers can be so touchy.

Edit: Actually, fixing the built-in ones is probably indeed worthwhile as the cookie for the forum will be sent to such URLs. I didn't realise those were http, given we force SMF to be served only over https. Thanks for raising this, it's time to go garbage diving in SMF code again.