There's a vague warning in the security docs <https://docs.djangoproject.com/en/4.0/topics/security/#host-header-validation> that says:
> many common web servers [have] a configuration that seems to validate the > Host header [that] may not in fact do so. For instance, even if Apache is > configured such that your Django site is served from a non-default virtual host > with the ServerName set, it is still possible for an HTTP request to match this > virtual host and supply a fake Host header. Does anybody know if this applies to *any* other server? The way it causes problems in Apache is very specific, and should be really really uncommon since the web has moved to HTTPS by default. (If the HOST header on the request doesn't match a named virtual host in Apache, and it doesn't match a host via SSL's Server Name Indication (SNI), Apache forwards the request to the first named virtual host <https://httpd.apache.org/docs/trunk/vhosts/details.html>). If there's no other server we know of that this impacts, I'd suggest we tighten this warning to explain that it only applies to Apache without SSL, or maybe we even remove this warning altogether? I spent some time today researching this because I wanted to make sure the issue didn't apply to the server I'm using (AWS ELB — It doesn't). It's always good to clean up old warnings if we can. Thanks, Mike -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/7e8c8674-55a6-4b63-b8d4-7626b56b72e6n%40googlegroups.com.
