DEV Community

loading...
Cover image for One user could possibly break twitter, facebook, or github - Here's why.

One user could possibly break twitter, facebook, or github - Here's why.

leviathanprogramming profile image 𝐋𝐄𝑽𝐈𝑨𝐓𝐇𝐀𝐍 Programming ・2 min read

I've been working with Routing and I've found out something that a lot of people probably haven't noticed.

If you go to a site like https://github.com, and navigate to their "about" page https://github.com/about, you can see that the "about" endpoint comes right after the URL.

If you navigate to, let's say my profile in github, you will see that my username comes right after the URL.
https://github.com/Conner1115.
What will happen if a user signs up with the name "about"?
If github doesn't block the user from getting that name, their About page could either override the user, making their profile invisible to all, or make the About page invisible to everyone, displaying the user's profile in place of the original page.

When you do routing in your site, make sure you use something like yourdomain.com/**user**/username instead of making your site vulnerable to people who would try and break your website.

Please don't go breaking github, twitter, facebook, or any other site that uses weak routing for users.

It's good to have a short URL I guess, so if you want, you can use FreeCodeCamp's technique and use something like domain.com/u/username or also, a good way is how repl.it tracks user profile endpoints. They add a "@" before the profile endpoint to ensure that the URL is a user's profile.
domain.com/@username.

Another way (not recommended) is to just validate at the signup form the existing URL endpoints and tell the user that they can't sign up for one of them. I still wouldn't do that because humans make mistakes. If you or I use that way, we will be more prone to err.

Please, next time you make a site, be sure to secure your URL endpoints and watch out for hidden details like this.

Thanks for reading.
Happy Coding!

Discussion (0)

Forem Open with the Forem app