It's been bothering me that Fuwanovel uses HTTP for the main website and all subdomains (including these forums) and immediately downgrades all secure connections to HTTP via a redirect (301). This is concerning because all requests such as logins, sending session cookies etc. are transmitted in plaintext, making it trivial for a man-in-the-middle attack to steal user credentials (and users tend to re-use those on multiple sites even though they should know better) or hijack sessions, they can read all messages and intercept or modify them at will, including sending the user to their own site while making it appear as fuwa (there are also many other good reasons to switch everything to HTTPS , but these are currently the most pressing issues).
To prevent this, HTTPS should be enabled everywhere and should be enforced by enabling HSTS to avoid attacks such as those of sslstrip.
(ignore the next paragraph if you already how to fix this issue and just haven't come around to do so yet - though at least the first part shouldn't take very long at all and the second isn't too bad either)
One possible solution: Since Fuwanovel already uses Cloudflare, you can fix part of the connection very easily: Go to Cloudflare -> Crypto, set SSL to Flexible (should already be that way, really we want Full (strict), but that might involve more steps on your part, see below), and enable HSTS on all subdomains (hard to go back on, but you shouldn't ever want to go back on it anyways), you also might want to redirect everything to HTTPS one way or another. This fixes the issue for the connection between users and Cloudflare, however the connection between Cloudflare and your servers is still insecure, so make sure your web servers support HTTPS (might involve some tweaking of configurations or proxying in the worst case if your web server doesn't support it) and you have a valid certificate set up (certificates from Let's Encrypt are free and easily automatable, don't see a reason not to use them), then set the Cloudflare SSL setting to Full (strict). Now the connections between Cloudflare and your servers are secure as well. (You could optionally set up Authenticated Origin Pulls to make sure you're only responding to traffic coming through Cloudflare.)