Security vulnerability When accessing the admin page on a server with http and https both enbled, admin may accidentally attempt to login via http. The login page looks the same and displays an input for the password even when the login will be rejected due to insecure http protocol, while still allowing you to send the password unencrypted.
Some web browsers now (stupidly) don't even display the protocol in the address bar, making it even harder to tell if it is http or https. Solution Only display the admin password input to connections from localhost and https.
