
Hostnames and usernames to reserve - paulproteus
https://ldpreload.com/blog/names-to-reserve
======
zimbatm
When github used to host "pages" under github.com I remember registering
"blog.github.com" (and reporting obviously). If you take the social-
engineering into account the list should be made long: login, support, status,
help, ...

Just to say, the list could be made much longer (eg: login)

~~~
zackboe
Seems PayPal also missed this memo:
[https://www.paypal.me/support](https://www.paypal.me/support)
[https://www.paypal.me/download](https://www.paypal.me/download)
[https://www.paypal.me/signup](https://www.paypal.me/signup)

~~~
zachrose
Here are some that I've reserved for my own web app, now inclusive of RFC
2142:

[https://gist.github.com/zachrose/30862a11857a31242d60](https://gist.github.com/zachrose/30862a11857a31242d60)

------
jakobdabo
Thanks, this was very informative.

I wonder how the pull requests for the public suffix domains are being
checked. Can somebody use it as an attack surface by adding the victim's
domain in that list and effectively blocking their website from setting
cookies?

------
_theskumar
Faced with similar issues, I maintain a python library called python-
usernames[1] with list of closed to 400 reserved words[2].

Publishing this as a library helps a lot collecting the wordlist over time and
be able to use the same list in all my projects.

[1] [https://github.com/theskumar/python-
usernames](https://github.com/theskumar/python-usernames)

[2] [https://github.com/theskumar/python-
usernames/blob/master/us...](https://github.com/theskumar/python-
usernames/blob/master/usernames/reserved_words.py#L4)

------
beneater
See also
[https://www.ietf.org/rfc/rfc2142.txt](https://www.ietf.org/rfc/rfc2142.txt)

------
jnky
I would suggest adding "autodiscover" to the list of disallowed hosts. It is
used by Microsoft Outlook and Exchange ActiveSync clients (e.g. in
smartphones) to automatically detect the correct server settings.

------
ecesena
Also, you should include the name of your service itself, especially if users
can produce content.

Edit: for similar reasons to blog./login./support. etc. (just read other
comments)

------
J_Darnley
Congratulations for using example.com as it is meant to be used.

------
jonasvp
Well, that would have been helpful when I announced [http://www.browser-
details.com](http://www.browser-details.com) on HN - it allows you to reserve
a subdomain and it never even occurred to me that I'd have to restrict them
(apart from the obvious regex).

So a thoughtful HNer taught me a lesson and reserved "www". Took me a second
to figure out why the site didn't behave as expected...

------
dmd
A popular MS Exchange cloud provider is
[http://webmail.domainlocalhost.com](http://webmail.domainlocalhost.com)

Seriously. domainlocalhost.com.

------
shurcooL
The article looks great and makes many good points, but I'll pick on one: why
disallow upper case letters from usernames?

~~~
ams6110
Email addresses and domain names are case-ignoring so you should never allow
usernames that differ only in case. Allowing only lower case is an easy way to
do this.

~~~
chrismorgan
The username part of an email address can actually be case sensitive, and this
has been known to cause problems with some systems (e.g.
[https://airmail.tenderapp.com/help/discussions/287/113-case-...](https://airmail.tenderapp.com/help/discussions/287/113-case-
sensitive-email-addresses-being-sent-out-as-all-lowercase)).

~~~
nitrogen
So instead of converting to lowercase, store them with case preserved but do a
case insensitive uniqueness check (and probably allow any case for login).

~~~
protomyth
or just force all lowercase and keep the support burden lower and save
yourself a ton of trouble when dealing with foreign systems. Add a rule on
incoming e-mail to convert all addresses for the local domain to lowercase to
complete the package.

~~~
nitrogen
It probably depends on whether we're talking about making your own users, like
the original link, or allowing users to interface with other systems, like
entering an email address.

------
protomyth
helpdesk is a pretty good choice to reserve just to keep people from doing
some foolish things.

------
zimbatm
Just compiled the list and added a few others:

[https://zimbatm.github.io/hostnames-and-usernames-to-
reserve...](https://zimbatm.github.io/hostnames-and-usernames-to-reserve/)

Feel free to use for your next PaaS !

------
supper
I have handled this by only allowing more-than-one-word names to be use as
subdomains, and made a slug out out of it, like so:

My Name => my-name.site.com

Is there any gotcha's here for me?

