fwaechter/arbitrary-usernames.txt

## arbitrary-usernames.txt
# Below we construct a large but non-exhaustive list of names which
# users probably should not be able to register with, due to various
# risks:
#
# * For a site which creates email addresses from username, important
#   common addresses must be reserved.
#
# * For a site which creates subdomains from usernames, important
#   common hostnames/domain names must be reserved.
#
# * For a site which uses the username to generate a URL to the user's
#   profile, common well-known filenames must be reserved.
#
# etc., etc.
#
# Credit for basic idea and most of the list to Geoffrey Thomas's blog
# post about names to reserve:
# https://ldpreload.com/blog/names-to-reserve
SPECIAL_HOSTNAMES = [
    # Hostnames with special/reserved meaning.
    'autoconfig',     # Thunderbird autoconfig
    'autodiscover',   # MS Outlook/Exchange autoconfig
    'broadcasthost',  # Network broadcast hostname
    'isatap',         # IPv6 tunnel autodiscovery
    'localdomain',    # Loopback
    'localhost',      # Loopback
    'wpad',           # Proxy autodiscovery
]


PROTOCOL_HOSTNAMES = [
    # Common protocol hostnames.
    'ftp',
    'imap',
    'mail',
    'news',
    'pop',
    'pop3',
    'smtp',
    'usenet',
    'uucp',
    'webmail',
    'www',
]


CA_ADDRESSES = [
    # Email addresses known used by certificate authorities during
    # verification.
    'admin',
    'administrator',
    'hostmaster',
    'info',
    'is',
    'it',
    'mis',
    'postmaster',
    'root',
    'ssladmin',
    'ssladministrator',
    'sslwebmaster',
    'sysadmin',
    'webmaster',
]


RFC_2142 = [
    # RFC-2142-defined names not already covered.
    'abuse',
    'marketing',
    'noc',
    'sales',
    'security',
    'support',
]


NOREPLY_ADDRESSES = [
    # Common no-reply email addresses.
    'mailer-daemon',
    'nobody',
    'noreply',
    'no-reply',
]


SENSITIVE_FILENAMES = [
    # Sensitive filenames.
    'clientaccesspolicy.xml',  # Silverlight cross-domain policy file.
    'crossdomain.xml',         # Flash cross-domain policy file.
    'favicon.ico',
    'humans.txt',
    'keybase.txt',  # Keybase ownership-verification URL.
    'robots.txt',
    '.htaccess',
    '.htpasswd',
]


OTHER_SENSITIVE_NAMES = [
    # Other names which could be problems depending on URL/subdomain
    # structure.
    'account',
    'accounts',
    'blog',
    'buy',
    'clients',
    'contact',
    'contactus',
    'contact-us',
    'copyright',
    'dashboard',
    'doc',
    'docs',
    'download',
    'downloads',
    'enquiry',
    'faq',
    'help',
    'inquiry',
    'license',
    'login',
    'logout',
    'me',
    'myaccount',
    'payments',
    'plans',
    'portfolio',
    'preferences',
    'pricing',
    'privacy',
    'profile',
    'register'
    'secure',
    'settings',
    'signin',
    'signup',
    'ssl',
    'status',
    'subscribe',
    'terms',
    'tos',
    'user',
    'users'
    'weblog',
    'work',
]
	# Below we construct a large but non-exhaustive list of names which
	# users probably should not be able to register with, due to various
	# risks:
	#
	# * For a site which creates email addresses from username, important
	# common addresses must be reserved.
	#
	# * For a site which creates subdomains from usernames, important
	# common hostnames/domain names must be reserved.
	#
	# * For a site which uses the username to generate a URL to the user's
	# profile, common well-known filenames must be reserved.
	#
	# etc., etc.
	#
	# Credit for basic idea and most of the list to Geoffrey Thomas's blog
	# post about names to reserve:
	# https://ldpreload.com/blog/names-to-reserve
	SPECIAL_HOSTNAMES = [
	# Hostnames with special/reserved meaning.
	'autoconfig', # Thunderbird autoconfig
	'autodiscover', # MS Outlook/Exchange autoconfig
	'broadcasthost', # Network broadcast hostname
	'isatap', # IPv6 tunnel autodiscovery
	'localdomain', # Loopback
	'localhost', # Loopback
	'wpad', # Proxy autodiscovery
	]


	PROTOCOL_HOSTNAMES = [
	# Common protocol hostnames.
	'ftp',
	'imap',
	'mail',
	'news',
	'pop',
	'pop3',
	'smtp',
	'usenet',
	'uucp',
	'webmail',
	'www',
	]


	CA_ADDRESSES = [
	# Email addresses known used by certificate authorities during
	# verification.
	'admin',
	'administrator',
	'hostmaster',
	'info',
	'is',
	'it',
	'mis',
	'postmaster',
	'root',
	'ssladmin',
	'ssladministrator',
	'sslwebmaster',
	'sysadmin',
	'webmaster',
	]


	RFC_2142 = [
	# RFC-2142-defined names not already covered.
	'abuse',
	'marketing',
	'noc',
	'sales',
	'security',
	'support',
	]


	NOREPLY_ADDRESSES = [
	# Common no-reply email addresses.
	'mailer-daemon',
	'nobody',
	'noreply',
	'no-reply',
	]


	SENSITIVE_FILENAMES = [
	# Sensitive filenames.
	'clientaccesspolicy.xml', # Silverlight cross-domain policy file.
	'crossdomain.xml', # Flash cross-domain policy file.
	'favicon.ico',
	'humans.txt',
	'keybase.txt', # Keybase ownership-verification URL.
	'robots.txt',
	'.htaccess',
	'.htpasswd',
	]


	OTHER_SENSITIVE_NAMES = [
	# Other names which could be problems depending on URL/subdomain
	# structure.
	'account',
	'accounts',
	'blog',
	'buy',
	'clients',
	'contact',
	'contactus',
	'contact-us',
	'copyright',
	'dashboard',
	'doc',
	'docs',
	'download',
	'downloads',
	'enquiry',
	'faq',
	'help',
	'inquiry',
	'license',
	'login',
	'logout',
	'me',
	'myaccount',
	'payments',
	'plans',
	'portfolio',
	'preferences',
	'pricing',
	'privacy',
	'profile',
	'register'
	'secure',
	'settings',
	'signin',
	'signup',
	'ssl',
	'status',
	'subscribe',
	'terms',
	'tos',
	'user',
	'users'
	'weblog',
	'work',
	]