diff --git a/forgot_form.cgi b/forgot_form.cgi
index a8ed3d82b..118f490d7 100755
--- a/forgot_form.cgi
+++ b/forgot_form.cgi
@@ -17,7 +17,8 @@ $ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 ||
         &error($text{'forgot_essl'});
 
 &ui_print_header(undef, $text{'forgot_title'}, "", undef, undef, 1, 1);
-
+print &ui_alert_box("<b> ⚠ ".$text{'forgot_nossl_warn'}, 'warn')
+        if ($gconfig{'forgot_pass'} == 2 && $ENV{'HTTPS'} ne 'ON');
 print "<center>\n";
 print $text{'forgot_desc'},"<p>\n";
 print &ui_form_start("forgot_send.cgi", "post");
diff --git a/lang/en b/lang/en
index 59a1f7b55..4385e8d71 100644
--- a/lang/en
+++ b/lang/en
@@ -185,6 +185,7 @@ forgot_erate=Too many password reset attempts for $1! Please try again later.
 forgot_eremote=Webmin server on this system is not running or is not configured to allow forgotten password recovery.
 forgot_essl=Forgotten password recovery can only be used over an SSL connection unless explicitly allowed
 forgot_nossl=Yes, and allow over insecure connection
+forgot_nossl_warn=Warning: This password reset is being sent over an insecure, not-encrypted connection and is vulnerable to man-in-the-middle (MITM) and header-injection attacks.
 
 pam_header=Login to Webmin
 pam_mesg=You must respond to the question below to login to Webmin server on $1.