Hacker News new | past | comments | ask | show | jobs | submit login

I never used MySpace, but this looks cool! Good idea to build off the nostalgia. Just on first glance, I noticed you're using URLs like https://spacehey.com/profile?id=123 for accessing profiles. That seems like a bad idea, using increasing numbers for pages in general is not great, because it makes it easy to scrape for every user on the site. Why not switch to something like a UUID or random base64 code?



Just curious: Why is this post with kind words and a seemingly-helpful tip being downvoted? Is this bad advice for some reason?


Maybe it's because it's advocating for security by obscurity? It would probably be more resource-intensive for the server if a bot were to scrape every single page to collect UUIDs instead of methodically going through them.


Oh, that's interesting — I hadn't considered that creators of web apps might choose to do this to make scraping easier. Generally, I've understood that exposing internal IDs is undesirable.

[1] https://blog.jiayu.co/2018/09/methods-for-obfuscating-sequen... [2] https://stackoverflow.com/questions/396164/exposing-database...


One way to avoid this is to look for something requesting only profile pages, then cut them off after a certain number of requests.


All sorts of incidents have happened this way. Somebody even got arrested for pointing it out on some government website, once.


HN is full of bad actors who don't want their jobs made harder


The original myspace used the profile name for URLs - https://myspace.com/some_name - maybe the reboot will eventually. I tried with mine and it was a 404.


SpaceHey does too, but if you don't set one you get profile?id=$int


Ok, thanks. I set what I thought was a username during signup but looks like that was just the name. I see now there's a second step going to https://spacehey.com/settings and the username URL is working for me.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: