Not really a bug but when manually accessing http://onedev.io, it will happily serve it over HTTP (which is no big deal I guess), however, it also serves the login page (http://onedev.io/login) and the signup page (http://onedev.io/signup) over HTTP which leads to unencrypted passwords going over the wire.
You should consider automatically redirecting to HTTPS (or to code.onedev.io) since it is publicly accessible.
Not really a bug but when manually accessing http://onedev.io, it will happily serve it over HTTP (which is no big deal I guess), however, it also serves the login page (http://onedev.io/login) and the signup page (http://onedev.io/signup) over HTTP which leads to unencrypted passwords going over the wire.
You should consider automatically redirecting to HTTPS (or to code.onedev.io) since it is publicly accessible.