Security, Security, Security.

@dylenbrivera My NodeBB forum (The Cellar, still in alpha) is geared towards hackers. Although nobody did a full audit yet, many members already ran some tests. When I find the time, I will perform a full review.

@Ninja-Scott If you want to go NodeJS the whole way, just have a look at Reaction for an online store/shopping cart.

Small request: can you leave out the "http:" in the ad-sense URL in main.js? Now some browsers get a security warning when the forum is running with HTTPS. If you leave out the protocol, the browser will automatically user HTTP or HTTPS depending on what was used to load the page with the ad-sense link.

Thanks a lot!.

Small request for improvement: in library.js you have the hardcoded link http://platform.twitter.com/widgets.js . This gives problems (or warnings) with forums that run using "HTTPS". Can you modify the link to //platform.twitter.com/widgets.js? That way the browser will automatically choose HTTP or HTTPS depending on which protocol was used for loading the page :). Thanks!

Meanwhile I got it fixed. Apparently I had some problems with my browser (I mostly use a Chromebook) not showing certain items on screen and sometimes not giving feedback about saves. Seems to work fine with the current code :).

Regarding my security certificate: that is perfectly fine. It is not the safest certificate (which is a self-signed certificate contrary to what vendors try to tell you), but a free from CACERT. Since my site will be geared towards white-hat hackers, it is some kind of inside joke while at the same time scares away some spammers. Bit off-topic to explain the inside joke, but:

• According to group thinking, certificates need a trusted third party to proof that an identity (e.g. your email, or a URL of a server) belongs to a person or a server. Those trusted third parties are the certificate authorities. An organised man-in-the-middle in a security protocol! Crazy! Especially since none of these authorities really can be trusted: many of them have been hacked, most of them are US based, in this post-Snowden era you already know who else has the private keys of those CA ... They even invented the more expensive EV-SLL ("enhanced validation") certificates, in fact admitting that before they didn't really validate an identity as documented in their own procedures. I once worked for a company that owned 3 of those certificate authorities. We were not even using the certificates internally ...

• It is even worse. Not you" decide which certificate authority to trust, the browser vendors maintain a list, that is even different between the browser vendors. If they have that CA listed in the browser, you won't even see a warning. It costs for a certificate vendor about 50.000 USD to be "trusted" by the browser companies. When I see at the "trusted" CA list I notice a lot of malicious organisations yet they are trusted by the browsers. And mal-ware writers even know how to modify the list. A broken security model, or at least the implementation, yes ...

Personally I think we can fix the model, but keep all browser vendors and certificate authorities outside the picture. The first problem is to trust that a specific public key belongs to a person/server. The problem was distribution. Really? I can send/publicize my certificate in hundreds of ways (We-chat attachment, Weibo posting, Facebook posting, tweet, ...). It unfeasible to intercept/modify all possible communications for any government or malicious organisation even if you control my ISP. Maybe we can have something like bit-coin transactions, certificate validated if X third parties agree ...

DO not even get me started about the current OpenSSL issues :).

This is with the latest NodeBB (0.4.0). I can have and configure more than 10 categories. However, from category #10 on-wards the background color and image is not displayed on the home screen. Is this a bug in NodeBB or should I look at the template (I use Cerulean)?

Major browsers have supported SVG for years (not sure about mobile browsers). Could NodeBB support this? I think this would be beneficial since the auto-scale without quality loss (from phone to mega-big screen). At this moment, NodeBB (at least the category picture upload) does not allow SVG.

Note: there might be some security issues for common users, but for admins this might be acceptable (or let the owner of the site decide :)).