Requiring a reverse proxy for TLS is pretty standard, but the rest of those findings are egregious (if they haven't been addressed yet.)