ALLOWED_HOSTS¶
Default: [] (Empty list)
A list of strings representing the host/domain names that this Django site can serve. This is a security measure to prevent HTTP Host header attacks, which are possible even under many seemingly-safe web server configurations.
Values in this list can be fully qualified names (e.g. 'www.example.com'), in which case they will be matched against the request’s Host header exactly (case-insensitive, not including port). A value beginning witha period can be used asa subdomain wildcard: '.example.com' will match example.com, www.example.com, andany other subdomain of example.com. A valueof'*' will match anything; in this case you are responsible to provide your own validation ofthe Host header (perhaps ina middleware; if so this middleware must be listed firstin MIDDLEWARE).
Django also allows the fully qualified domain name (FQDN) ofany entries. Some browsers includea trailing dot inthe Host header which Django strips when performing host validation.
If the Host header (or X-Forwarded-Host if USE_X_FORWARDED_HOST is enabled) does not match anyvaluein this list, the django.http.HttpRequest.get_host() method will raise SuspiciousOperation.
When DEBUG is True and ALLOWED_HOSTS is empty, the host is validated against ['localhost', '127.0.0.1', '[::1]'].
This validation only applies via get_host(); if your code accesses the Host header directly from request.META you are bypassing this security protection.
Changed in Django 1.10.3:
In older versions, ALLOWED_HOSTS wasn’t checked if DEBUG=True. This was also changed in Django 1.9.11and1.8.16to prevent a DNS rebinding attack.