#35458: Docs: clarify need for ALLOWED_HOSTS
------------------------------------+--------------------------------------
Reporter: Klaas van Schelven | Owner: nobody
Type: Uncategorized | Status: closed
Component: Documentation | Version: 5.0
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------------+--------------------------------------
Changes (by Sarah Boyce):
* component: Uncategorized => Documentation
* resolution: => needsinfo
* status: new => closed
Comment:
I believe the [https://docs.djangoproject.com/en/5.0/releases/1.4.4/#host-
header-poisoning Django 1.4.4 release notes] gives more context.
I think you're suggesting that Django should recommend or imply having
`ALLOWED_HOSTS` as `["*"]` is safe.
You should discuss this on the
[https://forum.djangoproject.com/c/internals/5 Django forum] and state why
this should be updated/allowed. As this relates to security, we need very
strong consensus and evidence that this is safe before we can make an
update. The security team may also want to review such an update. During
this discussion you might conclude to add some doc clarifications.
I am closing this request for now but if after a discussion you have a
concrete proposal, please reopen the ticket for consideration.
--
Ticket URL: <https://code.djangoproject.com/ticket/35458#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018f9f086387-b9b6053b-cb7d-4f93-af62-5c2a1acb171b-000000%40eu-central-1.amazonses.com.
