Keeping the world alive whilst PCs take a rest mid-adventure?

My players and I just started up Lost Mines of Phandelver and upon discovering the Cragmaw Hideout at the start of the adventure, they decided to double back to where they left the oxen at the initial ambush site and attempt to take a long rest after a close encounter with the Goblins taking watch outside, which is where our first session ended.

To clarify, they killed the watchers before fleeing with their downed comrade (who took two arrows in the chest during a surprise round) but left the bodies. Obviously the goblins will take note of the corpses left at their front door, so my two ideas are:

  1. The goblins are now more prepared for an intruder in their hideout so setup extra traps in and around the dungeon to catch the killers.

  2. Goblin scouts are sent out to find the players, eventually stumbling upon their camp near the ambush site whilst they rest. I plan on this disrupting any potential for a long rest.

Does anyone have experience doing these kind of adjustments to an existing adventure? If so how did you make sure that the players were made aware that taking a rest at a critical moment (even though it was necessary to heal a downed team mate) has had consequences making their initial task more difficult.

I’d also like to know which of my two ideas seems more fair to the players to get my message of resting in a hostile location across to them. I want to punish them but not too harshly due to them being only level 1.

Keeping self signed CA certification a secret [duplicate]

I have a server that has a public and private key pair that are known by my own self hosted CA.

A client wants to send the server some sensitive data. When the client receives the server’s public key, to initiate a tls connection, the client obviously has to contact my CA to verify the server is not an imposter.

The client has to also make sure my CA is not an imposter. Is the only option for facilitating this is to obtain a non self signed, legitimate certificate from another CA, embedded into the software tools the client is already using to communicate all this? Or a second option, send the client our CA certificate before hand, like in an email to use in all future communications with our CA? How is this normally handled in software exposing public APIs over secure connections and who want to manage their own PKI?

How to decide for a database structure for a financial accounting app (keeping in mind scaling)?

We are building a financial accounting application for users to manage single and multiple companies under them. The user can be an accountant with n number of companies under it or a single company itself. We are trying to understand how the database for such an application needs to be designed.


  1. The ability of an accountant to see all open invoices across all the companies he is handling.

  2. The ability to archive datasets of companies when they leave us.

  3. The ability to fetch data from multiple companies under one accountant to generate reports.

Database structure:

There are three possible database structures but we need to know which one best suits us:

  1. Have a parent database that holds all accounts and company information. Every company getis its own database to handle and store all transactions.

  2. have a single DB to hold all users and company profile data and every individual company gets its own set of tables to store transactions.

  3. Have a single DB that holds all the transaction data of all companies in a single table called transactions.

We are trying to understand which DB architecture suits us the best. I have MySQL/MariaDB in mind(solely because data is all relational) but if you think other databases would be better, i would definitely like to know more about it.

Are there official ways to avoid level adjustment while keeping racial features?

I’m familiar with UA’s “LA Buyoff”, wherein a high-level character can spend XP to reduce their level adjustment, as well as PGtF’s “Powerful Races at 1st Level”, which basically gives negative level penalties for LA races that turn into regular level adjustments as you gain your first few levels. (There’s also “Savage Progressions”, but those aren’t really ways for getting rid of LA, since they come with the full LA of the final monster.)

Both of these approaches simply take the issue of level adjustments and move them to different spots in character progression, though. Is there any way to simply get rid of level adjustments altogether?

I have seen one method, used in E6, where LA races simply get fewer points with which to buy ability scores. Does this have any basis in official Dungeons and Dragons products, though, or is it just for E6? It seems to imply that regular races get a 32-point point buy, so I’m guessing the latter, but I thought I’d bring it up.

(I also know Savage Species had some general guidelines on how to determine level adjustments, but they seem more intent on giving LA based on features rather reducing LA, like by converting LA into RHD (since working backwards with its LA guidelines is basically going backwards through a savage progression, aka removing racial features))

All that is to say, I’m looking for a method that: Gets rid of LA (from 1st level all the way up), doesn’t sacrifice racial features, and isn’t homebrew/houserule. Is there such a thing, or would I have better luck chasing unicorns?

I’m playing a Marilith demon who is leader of a evil campaign. After hitting very high levels, how should I go about keeping the party together?

During a while of playing a 2e session with multiple 3.5e conversions, I have recently (In the past 7 years) experimenting with playing Evil campaigns and playing Monster characters such as Mind Flayers (Which I’m really good with), A Gloom (Part of an Epic Level beginning game), Baatezu, Trolls, Fairies, Sprites, Hunefers (Another Epic Level beginning Campaign), Bugbears, and a small hand full of other monsters. In this campaign, We have been going on for 2 years of gameplay, reaching levels between 64-76

Current Party

  • Nuetral Evil Medusa (Lvl 72 Wizard/ Archmage 5)
  • Chaotic Evil Marilith Tanar’ri (Lvl 77 Warrior)
  • Chaotic Evil Vrock Tanar’ri (Lvl 38 Barbarian/Lvl 34 Legendary Dreadnought)
  • Chaotic Evil Succubus Tanar’ri (Lvl 66 Bard/ Lvl 2 Rouge)
  • Lawful Evil Noble Efreeti (Lvl 20 Fighter/Lvl 48 Fire Elementalist)
  • Neutral Evil Chameleon Greater Barghest (Lvl 56 Assassin/Lvl 20 Perfect Wight)
  • Chaotic Evil Vampire Drow (Lvl 32 Blackguard/ Lvl 20 Cleric/ Lvl 24 Divine Emissiary)
  • Neutral Evil Corpse Tearer Linnorm (Lvl 60 Necromancer/ Lvl 18 Dread Necromancer)

I am having a slight problem trying to figure out how to keep this diverse group together. The blood war, the personal problems, and the ambitions in the group are causing us to be a bit nervous. Each of us is having a difficult time with personal goals. During our time we have battled the armies of heavens, slaughtered many baatezu/devils, plundered villages, battled against the forces of good, fought against the harpers including battles against Mystras chosen, and basically ravaged most planes. Now after a while of our power growing, some of us have become slightly more distant from others and others have become a little suspicious of each other, causing many to create secondary plans and safeguards just in case. I do not want this to grow out of control, for this campaign is too amazing to quit. I need a solution that does not involve a common enemy (for specific reasons) or involves money. So, how should I string together this merry band?

What is the most optimal build for keeping an infinite Crab Swarm apocalypse at bay?

My friends and I were discussing a meme we saw when our imaginations took us way too far, and now I’m curious about how many Crab Swarms it would take to kill the most efficient Crab Swarm killer, and who the most efficient Crab Swarm killer could be.


You are an adventurer who happened upon some hijinks and now suddenly, you’re in the middle of a Crab Swarm apocalypse. That is,

  • You’re in the center of a 20sqx20sq (100ft x 100ft) flat square plain;
  • You have one week to prepare;
    • For purposes of this theoretical, you may assume you have any necessary resources in infinite amounts.
  • and, after that week, Crab Swarms begin to appear from all directions in an infinite stream.
    • There is nothing special about any individual Crab Swarm; each is exactly as described.
    • They are all hostile against you, specifically, and will do anything within their crablike powers to murder you.
    • The stream will not be stopped and cannot be halted until you are dead.

Specifically, I am interested in two scenarios: a level 5 adventurer (because Crab Swarms are CR4, so one level 5 adventurer should theoretically be able to defeat a Crab Swarm); and any arbitrary level 20 adventurer (for whom 250 CR4 Crab Swarms would make a CR20 encounter). What are the most effective builds at these levels for eliminating Crab Swarms and/or prolonging survival?


Spells like Teleport or maintaining indefinite amounts of Rope Tricks, while technically valid for the definition of prolonging survival, are not in the spirit of the scenario, and shouldn’t be considered. Running away is not an option.

By “murder”, I don’t necessarily believe that killing is required. Simply teleporting them to another Plane via skills like, say, Initiate of the Seventhfold Veil’s Violet Veil skill is an equally valid strategy (as well as being hilarious in concept).

I am open to basically any valid Pathfinder solution to this problem, from published books. Psionics, Path of War, whatever, bring it on.

Keeping passwords in plain text in “value” attribute. Addons can use this for password leaking

Either there is a security hole or I’m missing information about something.

While I was testing how Surfingkeys addon works I’ve noticed that it has command yf to copy form content on current web page. I though about testing it on “Sign In” and “Log In” forms on few websites to see if it would be able to retrieve typed passwords in plain text. It was successful if standardized <form> tags were used.

Then I’ve noticed that in most web applications password is kept in <input value=""> attribute in plain text which to me seems like by-standard security hole for whole W3 stack (HTML, CSS, JS, etc.). If this addon was able to get password from DOM then any addon can do that. The only piece missing is sending that data to server of a 3rd party who are owners of such malicious addon – such situation already had place with Stylish.

So attack scenario looks like this:

  1. Company “mal1c1ous” buys popular web addon.

  2. They add to addon generic <form> parser script which retrieves data from <input value="">.

  3. For each known website they make their addon “decorate” submit buttons with script which on click 1st sends request with credentials to their server and then to host of that website. Or they just send requests each time parser script is able to get new data.

  4. After some time they perform an attack using gathered credentials.

I find that scenario possible show me that it can’t happen. Also my question is: given that is Web security flawed by design?

The thing is that no one discourages from using <input value=""> as a password holder it seems that there is no other option by standard. Web developers can only come up with their own ideas to obfuscate where a password is stored before request is made.