Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# Below we construct a large but non-exhaustive list of names which
# users probably should not be able to register with, due to various
# risks:
#
# * For a site which creates email addresses from username, important
# common addresses must be reserved.
#
# * For a site which creates subdomains from usernames, important
# common hostnames/domain names must be reserved.
#
# * For a site which uses the username to generate a URL to the user's
# profile, common well-known filenames must be reserved.
#
# etc., etc.
#
# Credit for basic idea and most of the list to Geoffrey Thomas's blog
# post about names to reserve:
# https://ldpreload.com/blog/names-to-reserve
SPECIAL_HOSTNAMES = [
# Hostnames with special/reserved meaning.
'autoconfig', # Thunderbird autoconfig
'autodiscover', # MS Outlook/Exchange autoconfig
'broadcasthost', # Network broadcast hostname
'isatap', # IPv6 tunnel autodiscovery
'localdomain', # Loopback
'localhost', # Loopback
'wpad', # Proxy autodiscovery
]
PROTOCOL_HOSTNAMES = [
# Common protocol hostnames.
'ftp',
'imap',
'mail',
'news',
'pop',
'pop3',
'smtp',
'usenet',
'uucp',
'webmail',
'www',
]
CA_ADDRESSES = [
# Email addresses known used by certificate authorities during
# verification.
'admin',
'administrator',
'hostmaster',
'info',
'is',
'it',
'mis',
'postmaster',
'root',
'ssladmin',
'ssladministrator',
'sslwebmaster',
'sysadmin',
'webmaster',
]
RFC_2142 = [
# RFC-2142-defined names not already covered.
'abuse',
'marketing',
'noc',
'sales',
'security',
'support',
]
NOREPLY_ADDRESSES = [
# Common no-reply email addresses.
'mailer-daemon',
'nobody',
'noreply',
'no-reply',
]
SENSITIVE_FILENAMES = [
# Sensitive filenames.
'clientaccesspolicy.xml', # Silverlight cross-domain policy file.
'crossdomain.xml', # Flash cross-domain policy file.
'favicon.ico',
'humans.txt',
'keybase.txt', # Keybase ownership-verification URL.
'robots.txt',
'.htaccess',
'.htpasswd',
]
OTHER_SENSITIVE_NAMES = [
# Other names which could be problems depending on URL/subdomain
# structure.
'account',
'accounts',
'blog',
'buy',
'clients',
'contact',
'contactus',
'contact-us',
'copyright',
'dashboard',
'doc',
'docs',
'download',
'downloads',
'enquiry',
'faq',
'help',
'inquiry',
'license',
'login',
'logout',
'me',
'myaccount',
'payments',
'plans',
'portfolio',
'preferences',
'pricing',
'privacy',
'profile',
'register'
'secure',
'settings',
'signin',
'signup',
'ssl',
'status',
'subscribe',
'terms',
'tos',
'user',
'users'
'weblog',
'work',
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.