Should server IP address be in ALLOWED_HOSTS django setting?

Question

Since upgrading to django 1.5 my logs show several SuspiciousOperation exceptions with the text:

Invalid HTTP_HOST header (you may need to set ALLOW         


        

Answer 1

No, it shouldn't

By default, there are no reasons why IP address should be accepted as a valid HOST header. This message is a sign of a misconfigured production environment: such requests shouldn't reach the back-end.

Here's a post on security.stackexchange.com on Host header poisoning & ALLOWED_HOSTS.

What to do

Filter out all requests with an invalid HOST header before they reach django back-end.

How to

Most likely you're using nginx as a reverse proxy in front of django. If you don't use any reverse proxy at all (or you're using runserver), you have to (otherwise you're risking your security).

Add a default server block returning 444 at the top of your configuration. It should be the first server block in the configuration:

# File: /etc/nginx/sites-available/domain.com

upstream django_server {
    server 127.0.0.1:8000;
}

# Catch all requests with an invalid HOST header
server {
    server_name "";
    listen      80;
    return      444;
}

# Your config goes there
server {
    server_name  domain.com;
    listen       80;

    location / {
        proxy_pass http://django_server;
    }
}