[gk1]

This seems important and something I should look into implementing, but you completely lost me here:

> "Keep a hash map of URLs. In other words, instead of having the URL in the query string, have a key that refers to that URL there. In this way, only the URLs for the keys that YOU define are redirectable."

Huh? I wish you would expand on this a little bit.

[willscott]

This is exactly what happened with the first era of URL shorteners, and has the detrimental effect of scattering dead links around the web when your service closes. (termed link rot)

ArchiveTeam has a project scraping URL shorterners to attempt to archive exactly these things. Their tagline is "url shortening was a fucking awful idea".

http://archiveteam.org/index.php?title=URLTeam

My takeaway from this is that having a whitelist is fine, but keep the original URL visible so that if your service isn't available the original content is still visible (although potentially requiring manual user effort) is a good thing.

[endianswap]

Make a mapping of some ID to a URL in a database, make the final URL that redirects have the ID in it, not the target URL.

That being said, this whole thing is pretty silly with the given examples. If banks were doing this it'd be another issue.

[nperez]

test.org/redirect?url=http://test2.com

vs

{'test2':'http://test2.com'} on server + test.org/redirect?url=test2