Not certain whether this is justified as "evilness", but some browsers will flag this site as not secure.

Hmmm. I haven't actually done anything to make Multiverse support HTTPS myself at all. (I've been kinda meaning to, but...) Looks like my hoster is doing part of it but not quite following all the way through. I'll check it out. Thanks for the heads up.

...Bother. Yes:

> The Heroku SSL feature is included for free on any app that uses paid dynos: Hobby, Standard-1X, Standard-2X, Performance-M and Performance-L. Apps using free dynos can use the *.herokuapp.com certificate if they need SSL.

Looks like I'd need to start paying Heroku more, or jump through some hoops with OpenSSL.

(It's a bit annoying because paying Heroku another $7 per month to upgrade from "free dynos" to "hobby dynos" would get slightly better uptime but no better performance, and just one or two mildly-useful features like SSL. To actually get better performance (because I know people do still get the Application Errors and suchlike), I'd need to go up to the eye-watering $50 per month (in addition to the $7 per month I'm currently paying them for the database of a couple of hundred thousand table rows).)

Related: when I hit the site via HTTPS, everything mostly works except the on-hover card previews from the skeleton. I get "Blocked loading mixed active content" in the console. I suspect all that's needed to fix this is to make sure that XHR requests use the same protocol as the page was loaded under. In HTML you can usually write links in the form "://www.magicmultiverse.net/path/to/page" (omitting the leading "http" or "https") and the browser will do the right thing both ways. I'm not sure about JavaScript.