1. it defaults to HTTP on the website
I will totally remove HTTP
2. it does support HTTPS, but it's a free certificate from CloudFlare, so I bet they're using the "Flexible SSL" setting. That means that connection is only encrypted between you and CloudFlare, but then it's unencrypted plaintext between CloudFlare and FaucetSystem.com servers.
FULL, but self-signed
3. they use HTTP endpoints in their libs for migrating Faucet in a BOX script
4. their login form is vulnerable to brute-force attacks
5. no password reset?
6. "I agree to terms and conditions" checkbox, but there's no link to terms anywhere
7. fees for users (not just owners deposits), that doesn't seem to be mentioned anywhere on the site, only here on forum
Several days and im fixing it
8. there are CSRF vulnerabilities on all forms! That's critical! It means that if someone can compell you to click anything on a random site while you're logged to FaucetSystem.com, they can do pretty much any action on your account. Imagine that someone asks you to check his faucet, you click "Claim" on their faucet and suddenly API keys of all your own faucets are disabled! I think that only password changing is protected (as it requires providing old password).
my faucet is selfmade can you give me some startup how to send a payment with your api ?
$pay = new FaucetSystem($api_key, $currency);
$pay ->send($to, $user['balance']);
Replace 'faucetbox.com' by 'faucetsystem.com' in your scripts and enjoy.