If you’re developing or installing a service with accounts, this is a list of hostnames and usernames that you should deny.
All the credit goes to Geoffrey Thomas who also gives a good explanation of why you should adopt such list in his blog post: https://ldpreload.com/blog/names-to-reserve Please make sure to read that to understand that this blacklist is only one part of the protection needed to avoid issues like domain-level cookies.
If you see any omission in the list, send me a PR.
For the sake of forward-compatiblity (and keeping the blacklist small), all usernames should only allow ASCII-only hostname-like names.
In regexp format: /^[a-z]([a-z0-9-]*[a-z0-9])?$/
Each line is either an empty line, a comment or a username.
A comment line starts with a # character.
Usernames can also be duplicated if they belong to different categories.
Or if you want to import the list programmatically here is the EBNF format:
cr = "\n";
not-cr = all characters - cr;
comment = "#", { not-cr } ;
username = all characters - "#" , { not-cr } ;
line = ( comment | username | ), cr ;
grammar = { line } ;link:names-to-reserve.txt[role=include]Copyright and related rights waived via CC0