Skip to content

Changed "Invalid HTTP_HOST header" error from DisallowedHost to BadRequest. #19762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
yurh wants to merge 1 commit into from
Closed

Changed "Invalid HTTP_HOST header" error from DisallowedHost to BadRequest. #19762

yurh wants to merge 1 commit into from
+1 −1

Conversation

@yurh
Copy link

@yurh yurh commented Aug 21, 2025

Now days, there are spiders scanning many kinds of host names.

*.yourdomain.com will cause lots of DisallowedHost errors which will send out thousands of emails to admin.

Use BadRequest will keep silent.

For example:
http://1.2.178.27_www.a.yourdomain.com:8004/sitemap.xml

@yurh
Update request.py
c7af328 
There are spiders scanning many kinds of host names. 

*.yourdomain.com will cause lots of DisallowedHost errors which will send out emails to admin.

Use BadRequest will keep silent.
@github-actions github-actions bot added the no ticket Based on PR title, no linked Trac ticket label Aug 21, 2025
github-actions[bot]
github-actions bot reviewed Aug 21, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello! Thank you for your contribution 💪

As it's your first contribution be sure to check out the patch review checklist.

If you're fixing a ticket from Trac make sure to set the "Has patch" flag and include a link to this PR in the ticket!

If you have any design or process questions then you can ask in the Django forum.

Welcome aboard ⛵️!

@RealOrangeOne
Copy link
Member

RealOrangeOne commented Aug 21, 2025

I don't think this is something which Django should handle. Keeping this a specific exception allows Django to flag it in certain ways (like an email, as you say). Rejecting an unknown hostname is not only not a bug, it's a security feature.

If you don't want these errors, you have 2 options:

  1. Update ALLOWED_HOSTS to include "*", which avoids the errors you mention. This is probably not ideal, since really you only want a specific set of domains to be used to access your application
  2. Change your infrastructure to only serve Django on one domain, and reject all the others. This can be done fairly easily with reverse proxies like nginx, and is usually the default behaviour for many more managed hosting providers (eg Heroku).

The alternative would be filtering out these emails, or using an alternative error monitoring solution, but that's likely a bigger ask.

Regardless, your issue might be better discussed elsewhere, where the community can help resolve your issue. See https://www.djangoproject.com/community/ for places you can get some help.

@nessita
Copy link
Contributor

nessita commented Aug 21, 2025

Thank you @RealOrangeOne, I'm agree fully.

@nessita nessita closed this Aug 21, 2025
@timgraham timgraham changed the title Update request.py Changed "Invalid HTTP_HOST header" error from DisallowedHost to BadRequest. Aug 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

no ticket Based on PR title, no linked Trac ticket

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yurh @RealOrangeOne @nessita