Comment by carimura
4 years ago
I stew on this idea all the time and conclude that only scale (lots of users?) would make this effective. But then I ponder the remedy itself being wielded against legitimate parties and I get slightly sad and move on to something else to worry about.
Yeah - I do worry about making a request that might "verify" some other legitament user's url, so I won't do this if the identifiers looks like consecutive numbers, but if they look like guids I'm perfectly happy to blast 10,000 or 100,000 random ones back at them.