#35458: Docs: clarify need for ALLOWED_HOSTS
----------------------------------------------+------------------------
Reporter: Klaas van Schelven | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 5.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------------+------------------------
I understand why [https://security.stackexchange.com/questions/45687/what-
does-djangos-allowed-hosts-variable-actually-do validation of the host
header is important] but I do not understand why this would be the
responsibility of Django.
The [https://docs.djangoproject.com/en/5.0/ref/settings/#allowed-hosts
docs for the settings] mysteriously mention
> which are possible even under many seemingly-safe web server
configurations.
and the [https://docs.djangoproject.com/en/5.0/topics/security/#host-
headers-virtual-hosting docs for the host header validation] mention
something similar:
> Because even seemingly-secure web server configurations are susceptible
to fake Host headers
and
> Previous versions of this document recommended configuring your web
server to ensure it validates incoming HTTP Host headers. While this is
still recommended, in many common web servers a configuration that seems
to validate the Host header may not in fact do so. For instance, even if
Apache [..]
However, these notes were added in 2013, when Apache still reigned supreme
(moreover: a very different version, possibly with less sane defaults, of
Apache). These days there are many more ways Django is deployed, not least
of which cloud-based ones in which the passing of sane (actually checked)
host headers is left up to some web-facing proxy / webserver in front of
Django.
In 2024, is there still any reason to fear these "many" (undocumented)
"seemingly-safe server configurations" or can I just use a sane proxy
server and let that do the validation instead? Setting `ALLOWED_HOSTS` to
`["*"]` removes one more thing to think about while deploying.
In the context of a bug report (and not just a question): the
documentation should clarify what the actual wrong configurations would
be, it should be mentioned as "defense in depth" rather than a first line
of defense or the whole idea of ALLOWED_HOSTS checking should be removed.
[https://stackoverflow.com/q/78476951/339144 Previously asked on
StackOverflow in slightly different words]
--
Ticket URL: <https://code.djangoproject.com/ticket/35458>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018f801e95af-ce0d3748-1374-4fdf-ae09-9ba50a4211d3-000000%40eu-central-1.amazonses.com.
