发表新帖
发表新帖

Is ALLOWED_HOSTS needed on Heroku?

后端 未结
关注
2 1827
渐次进展
渐次进展 2021-01-02 02:53

From what I understand, ALLOWED_HOSTS does a check when DEBUG=False to prevent an attacker from pointing their own domain to your site.

It

相关标签:
2条回答
  • 名媛妹妹
    2021-01-02 03:28

    Warning: Possibly Out of Date

    The settings.py below represents the contents of Heroku's docs when this answer was originally written in 2015. While I am relatively sure the ALLOWED_HOSTS setting presented here is safe, please consult the up-to-date docs before copying any of the rest of these settings!

    Original answer follows. See below for more information.

    This is exactly what you are supposed to do, per Getting Started with Django on Heroku:

    settings.py

    # Parse database configuration from $DATABASE_URL
import dj_database_url
DATABASES['default'] =  dj_database_url.config()

# Honor the 'X-Forwarded-Proto' header for request.is_secure()
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

# Allow all host headers
ALLOWED_HOSTS = ['*']

# Static asset configuration
import os
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
STATIC_ROOT = 'staticfiles'
STATIC_URL = '/static/'

STATICFILES_DIRS = (
    os.path.join(BASE_DIR, 'static'),
)

    2018 Update

    The link above no longer works, as Heroku formats their Getting Started docs a bit differently these days, providing pre-built example repos rather than code samples in the docs. The current Python Getting Started Repo has ALLOWED_HOSTS = [], but also DEBUG = True, which according to the Django 2.1 docs triggers a special case where 

    ALLOWED_HOSTS =  ['localhost', '127.0.0.1', '[::1]']

    Since DEBUG = True is not recommended or a good idea at all in production, the original recommendation in this answer still stands as a production-ready solution for a Heroku app. Be sure you read and understand Charlie Weems' brief answer before deciding what to do.

    Full Disclosure: I have not built a production Heroku app in a recent version of Django. YMMV :)

    0 讨论(0)
  • 暗喜
    2021-01-02 03:39

    Note that Heroku removed ['*'] from the getting started guide in December 2017.

    I recommend setting ALLOWED_HOSTS = ['.herokuapp.com'].

    Even though Heroku's domain service is providing this protection, specifying the setting will be a reminder to update the configuration if moved to another hosting service.

    0 讨论(0)
 看不清?
提交回复
热议问题