Should extended Latin characters in urls (ü, ö, etc.) be percent-encoded as standard?

I am putting together an English language site which contains its own German translation (don’t worry, I’ve lived in Germany and I have a degree in Germanic and Slavonic Studies, it’s proper German…).

I am wondering what the best practice is regarding extended Latin characters in URLs.

If I have a URL like:ßgängerbrücke/ 

Am I better to link to it internally as:

  • a) /fußgängerbrücke/
  • b) /fu%C3%9Fg%C3%A4ngerbr%C3%BCcke/
  • c) /fussgaengerbruecke/

I have no problem doing any of the above and I am quite happy to use .htaccess mod_rewrite if and where necessary to ensure that variants all 301 to the correct canonical page.

On that note, a secondary question: which format (if different) should I be using for the <link rel="canonical"> in the <head>?

I am signing (HMAC) outgoing webhooks to allow users to verify their source, should I also sign outgoing responses?

To allow api users to verify the authenticity of outgoing webhooks, I am using a similar model to slack:

  • Concatenate timestamp and body, HMAC with pre-shared key, add timestamp and HMAC digest to headers.

  • Recipient does the same, and compares to the digest in the header.

I can either implement this exclusively on outgoing webhooks, or I can implement it as middleware that performs this process on both outgoing webhooks, and responses to requests.

Is doing the latter good practice? A good idea?

Rebooted host machine from inside VM, should I report this issue and where to report?

Excuse my ignorance as I don’t work in infosec.

I ran reboot inside a linux virtual machine using VirtualBox on Mac and it rebooted my host machine. I am trying to reproduce the problem but haven’t gotten it right just yet.

If I am able to reproduce the issue, should I report it and who should I report it to?

Freelancer has access to Firebase Database. What should I do?

Back in November, I put up a $ 100 bounty on a freelancer website for anybody who could debug a bug I had found in my app I was developing and couldn’t squash. It turns out the freelancer was in no position to work for me. He had lied about being Danish (he was actually from northeastern China and had such a poor internet connection, he could barely run my app). Furthermore, his English was far worse than any freelancer I had worked with previously, you cannot even hold a conversation with him.

Anyways, I want to redact my $ 100 that I staged up for him, but I’m afraid of him vandalizing my database as an act of retaliation. He has cloned my project from Github, including the GoogleService-Info.plist file that would allow him to make changes to my backend.

My project is still in Beta, but is slated to go public next month. Should I just generate a new GoogleService-Info.plist file and force all current beta users to update their version (the previous version will be unusable) or should I just go with it and hope the freelancer doesn’t destroy everything I have?

PS: Sorry, this may not be the correct StackExchange site for this question. I am a seasoned Stack Overflow user and know it wouldn’t be appropriate there. If somebody points me to a better site, I will gladly move the question.

How should I restrain myself when both playing a character and DMing?

I’m currently playing an IRL game with two of my friends. As you might imagine, I was worried that they weren’t powerful enough to take on the higher level encounters so I made a character to help them out. They were both new to D&D so I didn’t want to overload them with a gestalt character. However, now I’m worried that I might use my DM powers to make my character more powerful than the other two.

I just want to know something to help prevent myself from using my magic DM powers for evil.

Right now, we have a sorcerer and monk so I was considering making a tank-ish cleric.

Should I have to roll to copy a spell into my Book of Ancient Secrets?

The Book of Ancient Secrets invocation says (PH p. 110):

On your adventures, you can add other ritual spells to your Book of Shadows. When you find such a spell, you can add it to the book if the spell’s level is equal to or less than half your warlock level (rounded up) and if you can spare the time to transcribe the spell. For each level of the spell, the transcription process takes 2 hours and costs 50 gp for the rare inks needed to inscribe it.

There’s no mention of rolling anything.

But in the DMG (p. 200) under the Spell Scroll magic item it says:

A wizard spell on a spell scroll can be copied just as spells in spellbooks can be copied. When a spell is copied from a spell scroll, the copier must succeed on an Intelligence (Arcana) check with a DC equal to 10 + the spell’s level. If the check succeeds, the spell is successfully copied. Whether the check succeeds or fails, the spell scroll is destroyed.

This entry refers specifically to wizard spells, and seems to be more directed toward wizards copying wizard spells into their spellbooks, but since warlocks can copy any scroll that would also include wizard scrolls.

I’ve copied one spell already in our campaign, and the DM didn’t call for a roll, which is fine with me, but I’m just wondering if anyone knows what was intended.

Secure HTTP Headers – where should be implemented, WAF or code level?

I have an REST API exposed to the Internet and another application with form-based authentication.

These apps are behind Web Application Firewall.

Question is, where I should implement below Secure HTTP Headers, on WAF or Code level?

X-XSS-Protection X-Frame-Options X-Content-Type-Options X-Permitted-Cross-Domain-Policies HTTP Strict Transport Security HTTP Public Key Pinning Content Security Policy Referrer Policy Feature-Policy

Aesthetic URL problem: Website from server02 should look like its on a subdirectory of the main site from server01 is on server01 with IP address is on server02 with IP address

I actually do not want the subdomain abc. Ideally I want it at I want to have a more cohesive website for usability and aesthetics. For non-technical people, having the content in a sub-directory feels that you are still on the same site compared to going to a sub-domain.

My problem is that the code for the subdomain site (Site2) is on server02 with a different IP. I cannot use just 1 server for the 2 sites: Site1 is using Apache, MySql, and PHP for PHP websites and static websites. Site 2 is a webapp that uses nginx, ruby and postgresql. Maintenance wise, IMHO, it is easiest to have site02 on a separate server. But as I said, it would be great if it can be visited by the end-user in a sub-directory of the main domain.

Is there a a way for me to achieve this?

What is the property of a PL that extracting a subroutine should not change the meaning?

What is the name of the property of a Programming Language that says that extracting a subprogram into a subroutine and using that subroutine instead of the subprogram should not change the meaning of the program?

I could swear that this exists and that it has a well-known name, but I can’t for the life of me remember it. My efforts to search for the name have been thwarted by being swamped with results for the Liskov Substitution Principle or Referential Transparency.

What I am looking for is the property that I should be able to replace



void hello() {     printf("Hello"); }  hello();  

without changing the meaning of the program.

I think it is named after the person who coined it, but I am not sure. Something like XYZ Equivalence or XYZ Principle where XYZ is the name of a well-known Computer Scientist. I want to say Strachey, but I couldn’t find a mention of anything similar in Fundamental Concepts in Programming Languages.

How Should Speed and Range Affect Hit Probability?

If one were to go for an increased degree of realism, and try to build a probability curve that produces most sensible results (but simplified, of course, since there is no such thing as a perfect simulation), then approximately what sort of correlation should there be between distance to the target, speed of the target, and the chance to hit the target (under otherwise similar circumstances, i.e. same aiming time, weapon, character/skill etc.)?

Examples: There are systems which reduce the chance to hit by the same percent per range fixed increment added to the range of the target. There are systems which stack range penalties by a logarithmic function of range (e.g. a stacking penalty per doubling until reaching some cutoff range). There are systems which provide a constant speed penalty entirely separately from range, and systems which add speed and range when calculating the penalty. Some of these systems’ probability effects are complicated by the fact that they use non-linear dice curves. Some argue that the function of probability reduction should be a quadratic relation to range, since for each doubling of range, the target’s projection becomes ¼ of its previous observed value (percent of FoV taken up), but I don’t recall any systems that explicitly and deliberately implemented anything like that.

After asking elsewhere, I’ve been pointed to Steering law and Fitt’s law, but seem to be meant for fixed accuracy and variable time, while in RPGs, fixed aim time and variable chance to hit are much more workable.

Note that I’m not asking about which dice mechanics to use for modelling those probability adjustments, as I’m assuming that there are multiple ways of fitting dice to a desired probability function, but first I’d like to learn what probability functions are most fitting (simplified and generalised, of course) representation of real life shooting situations.