Find more articles in our new Python Knowledge Base

ALLOWED_HOSTS setting missing

In Django, you need to properly set the ALLOWED_HOSTS setting when DEBUG = False. This is a security mechanism. It prevents attackers from poisoning caches or password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header, which is possible even under many seemingly-safe web server configurations.


ALLOWED_HOSTS not set or empty, when DEBUG = False.

""" """

DEBUG = False
# ...

Best practice

Make sure, an appropriate host is set in ALLOWED_HOSTS, whenever DEBUG = False.

DEBUG = False
# ...