First post. Not sure if you're taking security bugs here, but hopefully these are easy fixes on your end. If not, please feel free to delete. Please see attached.
There are two cookies without recommended flags. First of which is PHPSESSID which lacks HttpOnly, Secure, and SameSite. The second, SMFCookie451 lacks Secure and SameSite.
All of these flags should be set, if possible, for session (and session-like) cookies.
EDIT: The homepage is also loading mixed HTTP/HTTPS content which potentially could degrade the security benefits of going HTTPS. Specifically -