Find more articles in our new Python Knowledge Base

ALLOWED_HOSTS setting missing

In Django, you need to properly set the ALLOWED_HOSTS setting when DEBUG = False. This is a security mechanism. It prevents attackers from poisoning caches or password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header, which is possible even under many seemingly-safe web server configurations.

Anti-Pattern

ALLOWED_HOSTS not set or empty, when DEBUG = False.

""" settings.py """

DEBUG = False
# ...
ALLOWED_HOSTS = []

Best practice

Make sure, an appropriate host is set in ALLOWED_HOSTS, whenever DEBUG = False.

DEBUG = False
# ...
ALLOWED_HOSTS = ['djangoproject.com']