Should server IP address be in ALLOWED_HOSTS django setting?

Question

Since upgrading to django 1.5 my logs show several SuspiciousOperation exceptions with the text:

Invalid HTTP_HOST header (you may need to set ALLOW         


        

Answer 1

NO, IT SHOULDN'T.

Usually it's not a secure way to configure your Django server. Sometimes, e.g., when testing your application, you may access it via direct IP address, but in there's no reason to disable log warnings.

My old answer was wrong, thanks to Max Malysh for pointing that out.

Old answer (INSECURE):

Short answer is: YES (according to provided headers).

Long answer: According to documentation:

If the Host header (or X-Forwarded-Host if USE_X_FORWARDED_HOST is enabled) does not match any value in this list, the django.http.HttpRequest.get_host() method will raise SuspiciousOperation.

In other words: if your requests pass your server ip address as Host header (and apparently they do), and you think it's okay, then YES, you should add server ip to ALLOWED_HOSTS.

Also, ip address could be in HTTP_HOST for many reasons, also someone could directly ask for ip address.