#35458: Docs: clarify need for ALLOWED_HOSTS ----------------------------------------------+------------------------ Reporter: Klaas van Schelven | Owner: nobody Type: Uncategorized | Status: new Component: Uncategorized | Version: 5.0 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ----------------------------------------------+------------------------ I understand why [https://security.stackexchange.com/questions/45687/what- does-djangos-allowed-hosts-variable-actually-do validation of the host header is important] but I do not understand why this would be the responsibility of Django.
The [https://docs.djangoproject.com/en/5.0/ref/settings/#allowed-hosts docs for the settings] mysteriously mention > which are possible even under many seemingly-safe web server configurations. and the [https://docs.djangoproject.com/en/5.0/topics/security/#host- headers-virtual-hosting docs for the host header validation] mention something similar: > Because even seemingly-secure web server configurations are susceptible to fake Host headers and > Previous versions of this document recommended configuring your web server to ensure it validates incoming HTTP Host headers. While this is still recommended, in many common web servers a configuration that seems to validate the Host header may not in fact do so. For instance, even if Apache [..] However, these notes were added in 2013, when Apache still reigned supreme (moreover: a very different version, possibly with less sane defaults, of Apache). These days there are many more ways Django is deployed, not least of which cloud-based ones in which the passing of sane (actually checked) host headers is left up to some web-facing proxy / webserver in front of Django. In 2024, is there still any reason to fear these "many" (undocumented) "seemingly-safe server configurations" or can I just use a sane proxy server and let that do the validation instead? Setting `ALLOWED_HOSTS` to `["*"]` removes one more thing to think about while deploying. In the context of a bug report (and not just a question): the documentation should clarify what the actual wrong configurations would be, it should be mentioned as "defense in depth" rather than a first line of defense or the whole idea of ALLOWED_HOSTS checking should be removed. [https://stackoverflow.com/q/78476951/339144 Previously asked on StackOverflow in slightly different words] -- Ticket URL: <https://code.djangoproject.com/ticket/35458> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/0107018f801e95af-ce0d3748-1374-4fdf-ae09-9ba50a4211d3-000000%40eu-central-1.amazonses.com.