At Plung, our mission is to provide the fastest, most private way to shorten URLs. But speed and privacy must never come at the expense of safety. Today, we are excited to announce a significant enhancement to our platform: Reserved Alias Protection.
The Problem: The Hidden Risks of Custom Aliases
Custom aliases are a powerful feature, allowing users to create memorable and branded links. However, they also present unique security challenges. Without proper protection, malicious actors can exploit custom aliases for:
- Phishing and Impersonation: Creating links like
plung.co/login,plung.co/verify-account, orplung.co/google-supportto trick users into revealing sensitive information. - Brand Hijacking: Squatting on well-known brand names or trademarks to redirect users to unauthorized or harmful content.
- System Route Conflicts: Accidentally or intentionally overlapping with internal platform routes (e.g.,
/api,/console,/admin), potentially causing service disruptions.
Our Solution: Three-Tier Validation
To address these risks, we have implemented a robust, three-tiered validation system that operates in real-time during every shortening request.
Tier 1: Dynamic Admin Overrides
The highest priority in our system is the Admin Override layer. This allows our team to manually allow or block specific aliases with high precision. For example, if a strategic partner needs a specific alias that is normally reserved, we can create an "Allow" override. Conversely, if we detect a new phishing pattern, we can instantly "Block" it across the entire platform.
Tier 2: Static Reserved Lists
We maintain a comprehensive, curated list of reserved aliases that are prohibited by default. This list includes:
- System Routes: Internal paths like
api,console,admin,login, andlogout. - Brand Names: Global technology, finance, and retail brands.
- Government and Institutional Entities: Trusted organizations that are frequently targeted by impersonation.
Tier 3: Malicious Pattern Detection
Beyond static lists, we use advanced pattern matching to catch variants of reserved aliases. This tier identifies attempts to circumvent protections using:
- Homoglyph Attacks: Using similar-looking characters from different alphabets (e.g., replacing 'o' with '0').
- Suffix/Prefix Variations: Catching aliases like
login-noworofficial-support. - Known Phishing Keywords: Prohibiting terms commonly used in credential harvesting campaigns.
Enhancing the Developer Experience
We believe that security should be transparent. Our updated API documentation now includes detailed information about reserved alias validation. When a developer or user attempts to use a reserved alias, the API returns a clear, actionable error message:
{
"statusCode": 400,
"timestamp": "2026-03-08T14:40:00.000Z",
"path": "/v2/shorten",
"method": "POST",
"message": "This alias is reserved and cannot be used"
}
On our frontend, these errors are now displayed directly under the "Custom Alias" input field, providing immediate feedback and a smoother user experience.
Building a Safer Web, Together
Reserved Alias Protection is more than just a security feature; it is a commitment to the trust our users place in Plung. By preventing the creation of deceptive links, we are not only protecting our platform but also contributing to a safer internet for everyone.
This feature is available immediately to all users. We will continue to refine our validation patterns and monitor the threat landscape to ensure Plung remains the most trusted name in URL shortening.
Written by
Plung Team