#35458: Docs: clarify need for ALLOWED_HOSTS
----------------------------------------------+------------------------
Reporter: Klaas van Schelven | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 5.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------------+------------------------
I understand why [https://security.stackexchange.com/questions/45687/what-
does-djangos-allowed-hosts-variable-actually-do validation of the host
header is important] but I do not understand why this would be the
responsibility of Django.
The [https://docs.djangoproject.com/en/5.0/ref/settings/#allowed-hosts
docs for the settings] mysteriously mention
> which are possible even under many seemingly-safe web server
configurations.
and the [https://docs.djangoproject.com/en/5.0/topics/security/#host-
headers-virtual-hosting docs for the host header validation] mention
something similar:
> Because even seemingly-secure web server configurations are susceptible
to fake Host headers
and
> Previous versions of this document recommended configuring your web
server to ensure it validates incoming HTTP Host headers. While this is
still recommended, in many common web servers a configuration that seems
to validate the Host header may not in fact do so. For instance, even if
Apache [..]
However, these notes were added in 2013, when Apache still reigned supreme
(moreover: a very different version, possibly with less sane defaults, of
Apache). These days there are many more ways Django is deployed, not least
of which cloud-based ones in which the passing of sane (actually checked)
host headers is left up to some web-facing proxy / webserver in front of
Django.
In 2024, is there still any reason to fear these "many" (undocumented)
"seemingly-safe server configurations" or can I just use a sane proxy
server and let that do the validation instead? Setting `ALLOWED_HOSTS` to
`["*"]` removes one more thing to think about while deploying.
In the context of a bug report (and not just a question): the
documentation should clarify what the actual wrong configurations would
be, it should be mentioned as "defense in depth" rather than a first line
of defense or the whole idea of ALLOWED_HOSTS checking should be removed.
[https://stackoverflow.com/q/78476951/339144 Previously asked on
StackOverflow in slightly different words]
--
Ticket URL: <https://code.djangoproject.com/ticket/35458>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018f801e95af-ce0d3748-1374-4fdf-ae09-9ba50a4211d3-000000%40eu-central-1.amazonses.com.
