Lastly, if each user is granted a unique URL (e.g. for user profile pages), make sure an attacker
cannot enumerate usernames. It might seem like a good idea to differentiate responses with HTTP
404 (not found) and HTTP 403 (forbidden), but this leaks information.