Unless I'm missing something, there is no HTTPS/TLS in the web server (and I'll assume clients too)
In this new world of The Internet of Insecure Things, not having the web server use TLS is scary for a system that runs your house and possibly alarm systems. Not to mention using it as a pivot point.
The old and tired meme of "Its my house, who'd even think to look for it" Ever look at your router logs??? CHUCK full of login attempts, port scans, etc.
Using geoip location I've seen most countries trying to get in to my system.
Even self signed certs or RSA ssh key pairs could be used.
HSTS would be optimal.