auth.php: disallow unencrypted logins by default

inc/config.php

@@ -180,6 +180,10 @@
     // Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
     $config['cookies']['httponly'] = true;
 
+    // Do not allow logins via unencrypted HTTP. Should only be changed in testing environments or if you connect to a
+    // load-balancer without encryption.
+    $config['cookies']['secure_login_only'] = true;
+
     // Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
     $config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
 
@@ -1216,6 +1220,7 @@
     // Moderator errors
     $config['error']['toomanyunban']    = _('You are only allowed to unban %s users at a time. You tried to unban %u users.');
     $config['error']['invalid']     = _('Invalid username and/or password.');
+    $config['error']['insecure']    = _('Login on insecure connections is disabled.');
     $config['error']['notamod']     = _('You are not a mod…');
     $config['error']['invalidafter']    = _('Invalid username and/or password. Your user may have been deleted or changed.');
     $config['error']['malformed']       = _('Invalid/malformed cookies.');