Close gaping security hole

MITLibraries · Jun 12, 2017 · b45583e · b45583e
1 parent df51663
commit b45583e
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/docs/README.md b/docs/README.md
@@ -28,6 +28,7 @@ The app deploys to mitlibraries-solenoid.herokuapp.com, with the libdev-cs crede
 
 If for some reason you wanted to set it up from scratch, you'd need to do the following:
 * Set up a Heroku instance associated with your repository (https://devcenter.heroku.com/articles/deploying-python)
+* Add its URL to `ALLOWED_HOSTS` in `settings/heroku.py`
 * Provision the following apps:
   * Postgres
   * Quotaguard Static

diff --git a/solenoid/settings/heroku.py b/solenoid/settings/heroku.py
@@ -20,7 +20,8 @@
 # Honor the 'X-Forwarded-Proto' header for request.is_secure()
 SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 
-ALLOWED_HOSTS = ['*']
+ALLOWED_HOSTS = ['mitlibraries-solenoid.herokuapp.com',
+                 'mitlibraries-solenoid-staging.herokuapp.com']
 
 
 # STATIC FILE CONFIGURATION