Routing design is easy to ignore until it becomes an abuse vector. The basic risk is collision: two different concepts end up competing for the same URL space.
The collision problem
If user profiles, organizations, and core pages all live at the same “level”, you can accidentally create URLs where a reserved path looks like a user/org name (or vice versa).
Even when nothing is “hacked”, this can cause:
- Confusing redirects
- Phishing-style lookalike links
- Broken assumptions in clients and bots
Safer patterns
Prefer explicit namespaces:
/u/[username]for users/o/[org]for organizations/profile/[id]for profile views
And keep a short list of reserved top-level routes (/login, /docs, /news, etc.) that can never
be claimed by user content.
Reporting and triage
When you spot something that looks like a platform bug:
- Provide the exact URL
- Explain the expected vs actual behavior
- Suggest a safe namespace fix
Source thread
This note is based on the discussion in: https://sbox.game/f/general/2022/1/