Lastly, if each user is granted a unique URL (e.g. for user profile pages),
make sure an attacker cannot enumerate usernames. It might seem like a good
idea to differentiate responses with HTTP 404 (not found) and
HTTP 403 (forbidden), but this leaks information.