Re: [Django] #35458: Docs: clarify need for ALLOWED_HOSTS

Wed, 22 May 2024 00:43:36 -0700 

#35458: Docs: clarify need for ALLOWED_HOSTS
------------------------------------+--------------------------------------
     Reporter:  Klaas van Schelven  |                    Owner:  nobody
         Type:  Uncategorized       |                   Status:  closed
    Component:  Documentation       |                  Version:  5.0
     Severity:  Normal              |               Resolution:  needsinfo
     Keywords:                      |             Triage Stage:  Unreviewed
    Has patch:  0                   |      Needs documentation:  0
  Needs tests:  0                   |  Patch needs improvement:  0
Easy pickings:  0                   |                    UI/UX:  0
------------------------------------+--------------------------------------
Comment (by Klaas van Schelven):

 Those notes give slightly more context, but not too much more. i.e. "it
 has been reported to us that even with the recommended web server
 configurations there are still techniques available for tricking many
 common web servers into supplying the application with an incorrect and
 possibly malicious Host header." still leaves me to wonder what these
 techniques would be and how one could defend against them at the level of
 the webserver (Apache, Nginx) rather than Django.

 > I think you're suggesting that Django should recommend or imply having
 `ALLOWED_HOSTS` as `["*"]` is safe.

 This was indeed one of the options in my original post. However, having
 since tried my hand at properly configuring the front-facing part, I have
 come to the conclusion that defense in depth is indeed a good
 recommendation. Still, I think the wording of the docs could be more
 clear, but I have to admit I don't have a good alternative myself.

 Closing this issue for now is good for me.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35458#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018f9f4156c4-29aa2536-c868-4e53-b972-1124761f87dc-000000%40eu-central-1.amazonses.com.

Reply via email to