Reserved-usernames: Usernames to prevent url collision with resource paths(github.com)
github.com
Reserved-usernames: Usernames to prevent url collision with resource paths
https://github.com/shouldbee/reserved-usernames
16 comments
I agree. Even if you think /user/ or /res/ is too long or unsightly, you could have shorter prefixes like (in an example.com/username system) example.com/.settings or example.com/_settings, or (in an example.com/settings system) example.com/@username or example.com/~username.
That said, it might still be a good idea to blacklist these anyway, as you might end up with someone registering the username 'reset-password' (which isn't on this list yet) trying to phish your users, or 'support' trying to masquerade as your support, depending on what your app does.
That said, it might still be a good idea to blacklist these anyway, as you might end up with someone registering the username 'reset-password' (which isn't on this list yet) trying to phish your users, or 'support' trying to masquerade as your support, depending on what your app does.
I guess if you have usernames in a shared namespace with system components this'd make sense - it's not something I'd consider a feature.
consider:
website.org/aloha
website.org/contact
website.org/u/aloha
website.org/users/aloha
users.website.org/aloha
u.website.org/aloha
aloha.website.org
with the first two examples, yes, there is a potential for collision - so you'd want something like this.
I consider the next four examples to be best - the final example I consider potentially administratively painful depending on implementation.
consider:
website.org/aloha
website.org/contact
website.org/u/aloha
website.org/users/aloha
users.website.org/aloha
u.website.org/aloha
aloha.website.org
with the first two examples, yes, there is a potential for collision - so you'd want something like this.
I consider the next four examples to be best - the final example I consider potentially administratively painful depending on implementation.
Don't forget the ancient classic: website.org/~aloha
Mastodon's interesting approach: website.org/@aloha
Mastodon's interesting approach: website.org/@aloha
yeah, I neglected those.
I still use ~ on a couple web servers I administer, easy way for me to give people a sandbox attached to their user.
I still use ~ on a couple web servers I administer, easy way for me to give people a sandbox attached to their user.
Having usernames as subdomains is relatively common, and it does seem like this list has that use case in mind (see the variations on www)
Twitter, for example, will place the username at the first level (twitter.com/username). Most of the other interactions occur under a small group of other addresses, such as /i/ and /settings/. However, I can still see this being a helpful resource so that you don't have to think about all possibilities from the outset.
Some of these are also usernames that a user might use to impersonate being a part of your organization: administrator, contact_us, news, et al.
That can help stop some particularly egregious social engineering attacks.
That can help stop some particularly egregious social engineering attacks.
Certainly doing this is introducing technical challenges easily avoided. But it’s also a win for reading, typing, and remembering URLs. Don’t confuse back-end elegance with elegance in communication with humans.
I could see a profanity list being more useful. How many people really try to register with the username "projects"?
As other people have mentioned, namespaces for user URLs solves this better.
As other people have mentioned, namespaces for user URLs solves this better.
There used to be sane times where usernames were prefixed by a tilde in profile URLs...
Or: Why you should not put things like usernames at the top level of your domain. sheesh...
Look at reddit.
[edit] Wait. Reddit removed user access site-wide to those pages? Morons. Well, the URL point still stands.
reddit.com/r/subreddit
reddit.com/user/my_user_name (Why not u? I don't know.)
Pretty straight forward. There are also ones like subreddit statistics and they're all... after the name. reddit.com/r/subreddit/about/traffic
(Note: Public viewable stats are only turned on if the mods turn it on.)[edit] Wait. Reddit removed user access site-wide to those pages? Morons. Well, the URL point still stands.
Oddly
reddit.com/u/foo
does work, but it just redirects to reddit.com/user/foo
Seems silly. You should either put users at example.com/user/{username} or you should put all non-user profiles under a reserved base like example.com/res/settings.