diff --git a/js/login_prevent_resubmit.js b/js/login_prevent_resubmit.js
new file mode 100644
index 00000000..de13d0e9
--- /dev/null
+++ b/js/login_prevent_resubmit.js
@@ -0,0 +1,3 @@
+if (window.history.replaceState) {
+    window.history.replaceState(null,null,window.location.href);
+}
diff --git a/login.php b/login.php
index 148a2dfe..91884b10 100644
--- a/login.php
+++ b/login.php
@@ -1,6 +1,6 @@
 <?php
 
-header("X-Frame-Options: DENY");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 if (!file_exists('config.php')) {
     header("Location: setup.php");
@@ -66,7 +66,7 @@ if ($config_login_key_required) {
 ini_set("session.cookie_httponly", true);
 
 // Tell client to only send cookie(s) over HTTPS
-if ($config_https_only) {
+if ($config_https_only || !isset($config_https_only)) {
     ini_set("session.cookie_secure", true);
 }
 
@@ -227,6 +227,8 @@ if (isset($_POST['login'])) {
 
         // Password incorrect or user doesn't exist - show generic error
 
+        header("HTTP/1.1 401 Unauthorized");
+
         mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent'");
 
         $response = "
@@ -309,21 +311,17 @@ if (isset($_POST['login'])) {
 
 <!-- jQuery -->
 <script src="plugins/jquery/jquery.min.js"></script>
+
 <!-- Bootstrap 4 -->
 <script src="plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
+
 <!-- AdminLTE App -->
 <script src="dist/js/adminlte.min.js"></script>
 
-<script src="plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script>
+<!-- <script src="plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script> -->
 
 <!-- Prevents resubmit on refresh or back -->
-<script>
-
-    if (window.history.replaceState) {
-        window.history.replaceState(null,null,window.location.href);
-    }
-
-</script>
+<script src="js/login_prevent_resubmit.js"></script>
 
 </body>
 </html>
diff --git a/portal/document.php b/portal/document.php
index d17e6909..fd1fb431 100644
--- a/portal/document.php
+++ b/portal/document.php
@@ -4,7 +4,7 @@
  * Docs for PTC / technical contacts
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
@@ -57,7 +57,7 @@ $document_content = $purifier->purify($row['document_content']);
     </div>
 
     <br>
-    
+
     <div class="card">
         <div class="card-body">
             <h3><?php echo $document_name; ?></h3>
diff --git a/portal/documents.php b/portal/documents.php
index 5d950689..e6cfa819 100644
--- a/portal/documents.php
+++ b/portal/documents.php
@@ -4,7 +4,7 @@
  * Docs for PTC / technical contacts
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/index.php b/portal/index.php
index 78528659..6e1ad752 100644
--- a/portal/index.php
+++ b/portal/index.php
@@ -4,7 +4,7 @@
  * Landing / Home page for the client portal
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/invoices.php b/portal/invoices.php
index 5b74f2a4..590de567 100644
--- a/portal/invoices.php
+++ b/portal/invoices.php
@@ -4,7 +4,7 @@
  * Invoices for PTC
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/login.php b/portal/login.php
index 0400159b..f4eae805 100644
--- a/portal/login.php
+++ b/portal/login.php
@@ -4,9 +4,7 @@
  * Landing / Home page for the client portal
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
-
-header("X-Frame-Options: DENY");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 $session_company_id = 1;
 require_once('../config.php');
@@ -162,19 +160,15 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])) {
 
 <!-- jQuery -->
 <script src="../plugins/jquery/jquery.min.js"></script>
+
 <!-- Bootstrap 4 -->
 <script src="../plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
+
 <!-- AdminLTE App -->
 <script src="../dist/js/adminlte.min.js"></script>
 
-<script src="../plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script>
-
 <!-- Prevents resubmit on refresh or back -->
-<script>
-    if (window.history.replaceState) {
-        window.history.replaceState(null,null,window.location.href);
-    }
-</script>
+<script src="../js/login_prevent_resubmit.js"></script>
 
 </body>
 </html>
diff --git a/portal/login_create.php b/portal/login_create.php
deleted file mode 100644
index e69de29b..00000000
diff --git a/portal/login_reset.php b/portal/login_reset.php
index ba4ca8de..87b07b47 100644
--- a/portal/login_reset.php
+++ b/portal/login_reset.php
@@ -4,6 +4,8 @@
  * Password reset page
  */
 
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
+
 $session_company_id = 1;
 require_once('../config.php');
 require_once('../functions.php');
@@ -274,19 +276,15 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
 
 <!-- jQuery -->
 <script src="../plugins/jquery/jquery.min.js"></script>
+
 <!-- Bootstrap 4 -->
 <script src="../plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
+
 <!-- AdminLTE App -->
 <script src="../dist/js/adminlte.min.js"></script>
 
-<script src="../plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script>
-
 <!-- Prevents resubmit on refresh or back -->
-<script>
-    if (window.history.replaceState) {
-        window.history.replaceState(null,null,window.location.href);
-    }
-</script>
+<script src="../js/login_prevent_resubmit.js"></script>
 
 </body>
 </html>
diff --git a/portal/portal_header.php b/portal/portal_header.php
index e800f367..c87dab96 100644
--- a/portal/portal_header.php
+++ b/portal/portal_header.php
@@ -12,7 +12,7 @@ header("X-Frame-Options: DENY"); // Legacy
 <head>
     <meta charset="utf-8">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
-    <title><?php echo nullable_htmlentities($company_name); ?> | Client Portal</title>
+    <title><?php echo nullable_htmlentities($session_company_name); ?> | Client Portal</title>
 
     <!-- Tell the browser to be responsive to screen width -->
     <meta name="viewport" content="width=device-width, initial-scale=1">
@@ -32,7 +32,7 @@ header("X-Frame-Options: DENY"); // Legacy
 
 <nav class="navbar navbar-expand-lg navbar-dark bg-dark">
     <div class="container">
-        <a class="navbar-brand" href="index.php"><?php echo nullable_htmlentities($company_name); ?></a>
+        <a class="navbar-brand" href="index.php"><?php echo nullable_htmlentities($session_company_name); ?></a>
         <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
             <span class="navbar-toggler-icon"></span>
         </button>
diff --git a/portal/profile.php b/portal/profile.php
index cac8630a..0a938abf 100644
--- a/portal/profile.php
+++ b/portal/profile.php
@@ -4,7 +4,7 @@
  * User profile
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once('inc_portal.php');
 ?>
diff --git a/portal/quotes.php b/portal/quotes.php
index f89d5f31..3562ad12 100644
--- a/portal/quotes.php
+++ b/portal/quotes.php
@@ -4,7 +4,7 @@
  * Quotes for PTC / billing contacts
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/tickets.php b/portal/tickets.php
index c207f83b..24b1b92d 100644
--- a/portal/tickets.php
+++ b/portal/tickets.php
@@ -4,7 +4,7 @@
  * Landing / Home page for the client portal
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");