I am receiving a pluggable.php warning sign on my only http:// page

I just recently shared a link to my site ysing he http but instead of redirecting, i just displays this:

Warning: Cannot modify header information – headers already sent by (output started at /home/thecmltm/public_html/index.php:1) in /home/thecmltm/public_html/wp-includes/pluggable.php on line 1281

Warning: Cannot modify header information – headers already sent by (output started at /home/thecmltm/public_html/index.php:1) in /home/thecmltm/public_html/wp-includes/pluggable.php on line 1284

I have searched all over the web but they all talk about function.php or wp_configure.php but that is not what my problem is. I have tried editing the index.php but nothing is wrong with it.

Please help me. Thanks in advance!

Have I finally gone insane, or does the “sign up” page of BitMitigate redirect to 127.0.0.1? [closed]

I heard this mentioned today, so I looked it up: https://bitmitigate.com/

OK. Yet another ultra-confusing, nonsensical (to me) website with extremely unclear purpose. But once I clicked the big button saying "Get Started", which links to:

https://bitmitigate.com/user-panel/sign-up.html 

… my browser (Pale Moon) actually went to:

http://127.0.0.1/ 

What could possibly explain this? I also tried with uBlock Origin turned off. Same result.

How should I sign a CSR using a signature created in HSM, in C# .NET Core?

I’m exhausted after looking for an answer for 3 days. I don’t know if my suggested flow is wrong or my Google skills have really deteriorated.

My API needs to create a valid certificate from a CSR it received, by signing it with a private key that exists ONLY inside an HSM-like service (Azure KeyVault), which unfortunately doesn’t offer Certificate Authority functions BUT does offer signing data with a key that exists there. My CA certificate’s private key is stored in the HSM. I’m using ECDSA.

My suggested flow:

  1. Client generates Key Pair + CSR and sends CSR to API
  2. API creates a certificate from the CSR
  3. API asks HSM to sign the CSR data and receives back a signature
  4. API appends the signature to the certificate and returns a signed (and including CA in chain) certificate to the Client

Flow

I’m using C# .NET Core and would like to keep it cross-platform (as it runs in Linux containers), so I have to keep it as native as possible or using Bouncy Castle (which I’m still not sure if runs in Linux .NET Core).

I really appreciate your help!

Which membership plugin for a simple sign in? Personal areas for customers

Most of the membership plugins I have found seemingly operate on the logic of the website having paying subscribers. I am not looking to make a publishing/blogging website with restricted access to articles. I am not interested in a plugin that I must continually pay for. I won’t be billing my customers on a monthly basis.

Imagine a company website with a small login section.

I am looking for something that’ll allow me to restrict access to certain areas, each individual area restricted to the specific customer. Within this area, they might have access to reports or statistics or links that are personal.

I need a plugin that’ll assist me in maintaining a number of users, to which I myself have created their accounts (no sign-up procedure) and set the perimeters of access.

Is this doable with WordPress or should I be looking at an entirely different solution?

When a user registers their mobile number during sign up, how can we verify that they really own the mobile number?

A lot of websites send a 4-digit or 6-digit one-time code to a mobile number via SMS or phone call when the user registers a mobile number on the website?

Is this a secure way to validate the ownership of mobile number? Are there any issues with it?

If it is not secure, are there any better alternatives?

Password is visible in online sign up form

I am about to sign up for an online school, which is an accredited statewide online school, and notice that the password they want me to enter is fully visible on the form. Should I be concern about their information security? Does a form like this indicates that the way the way the school protects students’ data is not secure, such as storing password verbatim rather than something like one-way hash?

If such forms violate established data security practices, what document(s) should I refer to the school’s IT people regarding that?

Online sign-up form

Restrict CA to issue certficates for one domain or to be able to sign just one server certificate

I have a server and I want my iPhone to connect to it securely. However, I cannot just install the self-signed server certificate on my iPhone. When I install the profile (that’s what they call the certificate), it says "Not verified".

Normally, you would go to CA Trust settings and enable full trust for the certificate. BUT I deliberately made the certificate with critical,CA:false constraint. That’s the reason it does not show in the CA Trust settings.

Why did I do it — I just need to install the single certificate and I don’t want to totally compromise my iPhone security, if my CA credentials got stolen.

Do this have a solution? iOS probably requires a CA to trust a certificate, but I don’t want a possibility to create certificates at all (beside the one), or at least for another domains.


One potential "solution" might be to create the CA, sign the server certificate and then delete the CA key, as it would not be needed and would live for a shorter time (lower chance to get stolen).

However, people except me wouldn’t be stoked to install it. (I don’t want to buy a certificate as its a home project and I don’t even have a domain name, just the IP address.)

The certificate complies with apple’s current requirements for server certificates. (https://support.apple.com/en-us/HT210176)

Sign records in a database

I have a table in my database where I store records to be processed later (basically orders that need to be invoiced or something similar, but this is not the important part).

Since this software runs on-premises, pro-users controls the database and they’re able to insert records directly into it. They usually do this to make my system process records in an unsupported way. Obviously, this leads me to problems that I often need to deal: inconsistency, invalid domain, missing fields, etc.

To avoid this problem, I’d like to know what are my options to "sign records", that is, identify the records generated by my system in a way that others can not reproduce.

Several approaches came to my mind when I think in this problem:

  • Create some undocumented record hash (that can be reverse engineered);
  • Use a digital certificate to sign records (where to store the digital certificate? the system runs offline on-premises);
  • Use some kind of blockchain approach: linking a record with the previous + some proof of work (maybe too hard to implement and error prone).

Are there other approaches I am not considering? If not, between the ones I listed, is there an approach I should stick/avoid?

Why does keycloak use HS256 algorithm to sign access token when client settings specify RS256?

I have the following setup with a keycloak authentication server and an application:

  1. user logs in on application client side, send un/pw to server
  2. application server sends un/pw to keycloak server for a token
  3. keycloak server sends a token back to application server
  4. application server outputs web page with sensitive data

I want to use RS256 to sign my tokens. When I try to get a token on the client side, they are corectly signed with RS256, but as soon as I try to get one on the server, HS256 is used. How can I set keycloak to use RS256 in both cases?

I use the /auth/realms/{REALM_NAME}/protocol/openid-connect/token endpoint and keycloak 10.0.1.

Keycloak configuration:

  • keys
    • realm keys are HS256, AES, and RS256 (listed in this order) all with a priority of 100 (EDIT: even if I set the RS256 key priority to a higher value, HS256 is used)
    • default signing algorithm for the realm is set to RS256
  • client
    • access token signature algorithm and ID token signature algorithm for the client are set to RS256
    • the client is public
    • Valid redirect URIs contain the domain where the application server is currently running (which is localhost but my computer has a domain name)
    • Web origins is set to "+" (which as far as I’m aware copies entries from valid red. uris)

Google seems to return no results related to my problem.

LifeLong Free Web Hosting – Sign Up Today : Hostpoco.com

For every webmaster, Who wants to start a new business and looking for a reliable Hosting Plan? Hostpoco is the Best Solution for it.

“Now Hostpoco is becoming the first choice for Free Web Hosting in Google Search and we are always trying to give the best possible features with our services and hence most of the clients are now moving with Hostpoco. Our features like max space and bandwidth perfectly suit for startups..hence we are requesting everyone to try our services once and then decide”

Free Startup plan: $0/Lifetime

• Single Domain Hosting
• 200MB Web Space
• 200MB Bandwidth
• 2 Email Accounts
• 2 Sub Domains
• FREE Auto SSL
• DDOS Protection
• 99.99% uptime
• Softacolous Supported
• Tier 1 Technical Support

Hostpoco offers you the freedom to upgrade your existing Free Web Hosting plan to Paid Unlimited Web hosting service plan and we guarantee that there won’t be any type of data loss of such upgrades. You simply suppose to initiate the upgrade from the client area and need to pay the respective amount and the new package will be assigned as soon as you are done with the payment! Note: Free Hosting Package limited with quantity of 1 per account.

For more Details:https://www.hostpoco.com/

Thank you.