Well, I believe in Postel’s Law. Any opinions on the utility or danger of redirecting to the canonical URL instead?
E.g. I don’t want anyone’s campaign tracking tokens in the referer of our outbound links, or in URLs being shared around by copy-paste from the address bar.
However I also don’t want to inadvertently create a mechanism for someone to mechanically enumerate our routes (which we already see routinely attempted via return-path parameters), or walk into any similar trap besides.
Referenced (only partially quoted, and wholly unheeded) in the article, Postel's Law, also known as the Robustness Principle, says "be liberal in what you accept, and conservative in what you send."
E.g. I don’t want anyone’s campaign tracking tokens in the referer of our outbound links, or in URLs being shared around by copy-paste from the address bar.
However I also don’t want to inadvertently create a mechanism for someone to mechanically enumerate our routes (which we already see routinely attempted via return-path parameters), or walk into any similar trap besides.