If you’re developing or installing a service with accounts, this is a list of hostnames and usernames that you should deny.

All the credit goes to Geoffrey Thomas who also gives a good explanation of why you should adopt such list in his blog post: https://ldpreload.com/blog/names-to-reserve Please make sure to read that to understand that this blacklist is only one part of the protection needed to avoid issues like domain-level cookies.

If you see any omission in the list, send me a PR.

The username format

For the sake of forward-compatiblity (and keeping the blacklist small), all usernames should only allow ASCII-only hostname-like names.

In regexp format: /^[a-z]([a-z0-9-]*[a-z0-9])?$/

The list file format

Each line is either an empty line, a comment or a username.

A comment line starts with a # character.

Usernames can also be duplicated if they belong to different categories.

Or if you want to import the list programmatically here is the EBNF format:

cr = "\n";
not-cr = all characters - cr;

comment = "#", { not-cr } ;
username = all characters - "#" , { not-cr } ;

line = ( comment | username | ), cr ;

grammar = { line } ;

The list

Link because Github doesn’t support asciidoc includes

## This is a list of names to reserve when building a PaaS
#
# See https://zimbatm.github.io/hostnames-and-usernames-to-reserve
#

# well-known hostnames
email
ftp
imap
mail
mx
ns0
ns1
ns2
ns3
ns4
ns5
ns6
ns7
ns8
ns9
pop
pop3
smtp
www

# admin-ish usernames
admin
administrator
domainadmin
domainadministrator
owner
root
sys
system

# rfc2142 reserved email addresses
abuse
ftp
hostmaster
info
marketing
news
noc
postmaster
sales
security
support
usenet
uucp
webmaster
www

# SSL - CA ownership verification
admin
administrator
hostmaster
info
is
it
mis
postmaster
root
ssladmin
ssladministrator
sslwebmaster
sysadmin
webmaster

# commonly-used email addresses
community
contact
mailer-daemon
mailerdaemon
me
no-reply
nobody
noreply
user
users

# commonly-used top paths
about
admin
app
blog
copyright
css
dashboard
dev
developer
developers
docs
errors
events
example
faq
faqs
features
guest
guests
help
image
images
img
js
login
logout
media
new
news
pricing
privacy
signin
signout
src
status
support
terms
tutorial
tutorials

# network
broadcasthost
localdomain
localhost

# auto-discovery
wpad
autoconfig
isatap