Ask HN: How do you protect against malicious links in user-generated content?

If your app allows users to post or share content, chances are they’ll eventually try to drop in links. Some of those may be spammy, others outright malicious (phishing, malware redirects, throwaway domains, etc.)

I’m curious how companies handle this in practice. Do you:

Block certain TLDs or domains?

Use external reputation or threat-intel APIs?

Follow redirects and scan the final destination?

Sanitize or nofollow everything?

Rely on user reports + moderation queues?

Something else entirely?

It seems like a constant balancing act between safety, performance, and not frustrating legitimate users.

What’s worked well (or failed) for you? Any battle-tested approaches you’d recommend?