Some links are written as HTTP instead of HTTPS

For example, the emailed link to generate a password for a newly created account uses `http`. It would be better to use `https`, though it's not high priority imo since a secure server setup would use automatic redirection.

This could be set dynamically based on the actual server (e.g. localhost generally must be http), but hard-coding https is probably better than nothing.