evict
commented
3 years ago Actually a UUID is perfectly fine for this type of thing. UUIDs are not guessable, the risk is negligible really. Just make sure that when using the web app you add the noindex header and/or tags: https://developers.google.com/search/docs/advanced/crawling/block-indexing. This will prevent indexing when someone accidentally shares the link on a public site.
The timeline is blocked already by this setting but a post can still be accessed directly with its UUID, we must add a check there to make sure it isnt if the profile is set to private and the person is not a follower.