With the exception of this Discourse instance, all the sites are static HTML. Nothing has been hacked, as some implied, since there is nothing to hack.
That said, I have updated the TLS configuration at the CDN for all domains, not just the flavour maker site. All http requests are now redirected to https, strict https is enabled and all redirections are proceed and terminated at the CDN.
That has made it possible to completely disable http, for every domain, on the origin servers. All origin server connections are verified with a client certificate to ensure they originate from the frontend CDN.