A form on an HTTPS page that submits its data to a plain HTTP endpoint sends everything the visitor typed — including passwords or payment details — over an unencrypted connection, even though the page itself looked secure with a padlock icon.
A form whose action posts to http:// instead of https:// sends whatever the visitor typed — including passwords — across the network in plain text, readable by anyone on the same network.
Every form on the site submits its data to an HTTPS endpoint.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →