This repository has been archived by the owner on Oct 15, 2024. It is now read-only.
ALLOWED_HOSTS Security #27
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hello,
First, I am not an expert in Django or with Heroku use. I have used both on a number of projects, though. I am concerned that django-heroku sets the
ALLOWED_HOSTSsetting to'*'. In the django docs, this is not secure due to the possibility of host header attacks. This is explained in two places-Host Headers Virtual Hosting
allowed hosts
I understand that this setting can be overwridden with
allowed_hosts=Falsebut out of the box I think it should avoid introducing any security flaws. Perhaps this is a non-issue, in which case I would love to understand the Heroku service more. To remedy this, I would be interested to know if Heroku provides any information about the url that can be levereged (like an environment variable). I will do some research on my own but I would be interested to see what the authors here have to say.The text was updated successfully, but these errors were encountered: