Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #20338 - Document FQDN behavior with ALLOWED_HOSTS

  • Loading branch information...
commit 6bdeed1b811ddf9a920e925ad05d82cffbf13c3a 1 parent 780fa48
@manfre manfre authored carljm committed
Showing with 14 additions and 0 deletions.
  1. +14 −0 docs/ref/settings.txt
View
14 docs/ref/settings.txt
@@ -79,6 +79,20 @@ responsible to provide your own validation of the ``Host`` header (perhaps in a
middleware; if so this middleware must be listed first in
:setting:`MIDDLEWARE_CLASSES`).
+.. note::
+
+ If you want to also allow the `fully qualified domain name (FQDN)`_, which
+ some browsers can send in the Host header, you must explicitly add another
+ ALLOWED_HOSTS entry that includes a trailing period. This entry can also be
+ a subdomain wildcard::
+
+ ALLOWED_HOSTS = [
+ '.example.com', # Allow domain and subdomains
+ '.example.com.', # Also allow FQDN and subdomains
+ ]
+
+.. _`fully qualified domain name (FQDN)`: http://en.wikipedia.org/wiki/Fully_qualified_domain_name
+
If the ``Host`` header (or ``X-Forwarded-Host`` if
:setting:`USE_X_FORWARDED_HOST` is enabled) does not match any value in this
list, the :meth:`django.http.HttpRequest.get_host()` method will raise
Please sign in to comment.
Something went wrong with that request. Please try again.