Menu
I'm working in Django 1.8. I have set ALLOWED_HOSTS as follows, in both my local and deployed settings:
ALLOWED_HOSTS = ['localhost', 'my.deployed.url']
That way I don't need to change the settings in the deployed version. (Not that this is difficult to do, it's just convenient this way.)
Is there any security reason why I shouldn't have localhost there on the deployed settings on the remote server?
From the docs I don't think there is, but just wanted to check.
878
ALLOWED_HOSTS. A list of strings representing the host/domain names that this Django site can serve. This is a security measure to prevent HTTP Host header attacks, which are possible even under many seemingly-safe web server configurations.
An allowed host may be an additional subdomain used by your web application or a completely separate domain used for an API. For example, you can add https://api.example.com as an allowed host to the main target https://www.example.com.
As long as the app does not give superpowers to requests with 'localhost' in the Host http header it should be ok.
93
In Django 2.1.4, another solution is:
ALLOWED_HOSTS = ['127.0.0.1']
6
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
