Yes, that is how it is implemented: a restricted listed of usernames. The logic typically would live wherever you have logic that checks "is this username available" which would join on your users table and your restricted usernames table. 1/2
Comments
Log in with your Bluesky account to leave a comment
2/2 You'll need restriction logic even if you use a separate domain because you will want to restrict common terms like /help /support /wp-admin because they will either be used maliciously or be the target of high volumes of bad traffic.
I'm also curious --- do CMSs then update the third-party registration restriction list? (Like whatever GitHub is using to create its marketing pages has to restrict people from registering those handles.)
Every system is different but explicit routes (e.g: `/pricing`) should match before wildcards (like `/:username`) so the worst case with a banned username slipping through is their own profile doesn't work (rather than them being able to take over the pricing page for example). 1/2
2/2 A sophisticated system might try and ping a URL first (e.g: you enter `pricing` as a username and it checks if `/pricing` returns a non-404) but that sort of complexity isn't usually necessary. As long as usernames are the last thing to match when routing you don't need to worry about it :)
Nice! Not an expert, but this feels like a comprehensive set of best practices, which is exactly what I was looking for. Thank you so much for taking the time to share it! :)
Comments