Thank you so much for your report! Could you please list the specific URLs that are having this issue?

These should all be fixed now!

Okay, I'll let know, thanks! It looks like it should be pretty simple to enable that on Cloudflare. Will keep you updated.

That notice is triggered by external images in forum posts, which don't exist on Subeta and thus we don't have control over them. So like, you can use the img sCode to put any image you want in a forum post, even if that image is on an unsecure image host. This goes for everywhere that we allow you to put images of your choosing - like the forum image, forum signatures, pet profiles and user profiles.

The reason we secure things with HTTPS is that an attacker could read and potentially even modify anything that isn't HTTPS. This is why things like credit card info and passwords must be transmitted over HTTPS. If your image contains sensitive info like a scan of your driver's license, you should make sure that image is secure. But the images people post on Subeta forums should not contain sensitive personal information (I hope everyone uses common sense with what they post here), plus these forums are somewhat public to begin with since anyone can make a Subeta account and read them.

So, these images don't pose a high risk, but if you'd like to block them anyway, there should be a "Block unsecured images" setting in your browser. I definitely encourage blocking them if they at all make you uncomfortable. I block various content on websites myself for my own peace of mind. Anyway I hope all this helps with any potential concerns :)

Just want to let you know the HSTS thing has not been forgotten.

If you're talking about the notice that our server doesn't use HSTS, you're seeing that because it's true, we don't use it at the moment. If you are enforcing HTTPS through your HTTPS Everywhere then us not using HSTS does not pose any risk to you as long as you have the "Block all unencrypted requests" setting turned on.