Django ALLOWED_HOSTS = ['*']


In the How to setup DJANGO application on CyberPanel/OpenLiteSpeed tutorial, step 4 states to make sure allowed hosts looks like


According to Django documentation ,

this setting is a security measure to prevent HTTP Host header attacks, which are possible even under many seemingly-safe web server configurations. A value of '*' will match anything; in this case you are responsible to provide your own validation of the Host header (perhaps in a middleware; if so this middleware must be listed first in MIDDLEWARE).

Is there not a security issue by allowing all hosts as the tutorial suggests? In my django installations on other servers I do not allow all hosts, just the domain/s i.e. and do not implement the [MIDDLEWARE] . I do not see any reference in the tutorial on setting up a [MIDDLEWARE] .

Is it safe to allow all hosts * ?

Thank you

The tutorial was supposed to make it easy to set up, but you being a developer should follow best practice and use your deployment domain in the allowed host.

Thank you, once again for the quick response. This confirms what I will do. May I suggest adding a note regarding this in the Step 4 of the tutorial?

Thanks again. You are very helpful.