Django ALLOWED_HOSTS = ['*']

fishtails · March 5, 2022, 12:11pm

Hello,

In the How to setup DJANGO application on CyberPanel/OpenLiteSpeed tutorial, step 4 states to make sure allowed hosts looks like

ALLOWED_HOSTS = [‘*’]

According to Django documentation ,

Blockquote
this setting is a security measure to prevent HTTP Host header attacks, which are possible even under many seemingly-safe web server configurations. A value of '*' will match anything; in this case you are responsible to provide your own validation of the Host header (perhaps in a middleware; if so this middleware must be listed first in MIDDLEWARE).

Is there not a security issue by allowing all hosts as the tutorial suggests? In my django installations on other servers I do not allow all hosts, just the domain/s i.e. example.com and do not implement the [MIDDLEWARE] . I do not see any reference in the tutorial on setting up a [MIDDLEWARE] .

Is it safe to allow all hosts * ?

Thank you

usmannasir · March 5, 2022, 12:42pm

The tutorial was supposed to make it easy to set up, but you being a developer should follow best practice and use your deployment domain in the allowed host.

fishtails · March 5, 2022, 2:14pm

Thank you, once again for the quick response. This confirms what I will do. May I suggest adding a note regarding this in the Step 4 of the tutorial?

Thanks again. You are very helpful.