I seem to remember having a similar thought that HttpRequest seemed like an usual place to do that validation, but I never investigated if there could be a better design.
Adding Carl to CC because he authored the addition of settings.ALLOWED_HOSTS (d51fb74360b94f2a856573174f8aae3cd905dd35). Maybe he remembers something about that. I found a comment from him in the private security tracker for the patch that has this todo item:
Consider validating all requests instead of only when get_host() is called, to make it less likely a misconfigured whitelist will be missed? I'm now leaning away from this, because it seems cleaner to only do the work when the value is requested, but I do think it's problematic that it could be so easy to deploy and forget to configure ALLOWED_HOSTS until someone tries to send a password reset email or something.
with Florian's reply:
CommonMiddleware checks the host every request.
- CSRF middleware checks the host on every secure request.
So essentially you are most likely checking it all the time already (So I guess we could move that check up in the wsgi handling…)