Opened 6 years ago
Closed 6 years ago
#29752 closed New feature (wontfix)
Add new ALLOWED_HOSTS_EXEMPT setting
| Reported by: | Jonas Haag | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Someday/Maybe | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This patch adds a new ALLOWED_HOSTS_EXEMPT setting to exclude some URLs from Host header validation.
This can become handy if you can't control the Host header sent to your application but still want to accept the request. An example of this is health checks made by AWS ECS/Fargate – google "django allowed_hosts aws" and find 16,000 results with tips how to work around the problem.
Change History (6)
comment:1 by , 6 years ago
comment:2 by , 6 years ago
Without weighting in on the acceptability of the feature request the setting name should probably contain _URL to adhere the existing setting names.
comment:3 by , 6 years ago
I took SECURE_REDIRECT_EXEMPT as a guideline, both in terms of naming and in terms of implementation
comment:4 by , 6 years ago
The thing with SECURE_REDIRECT_EXEMPT is that it contains REDIRECT_EXEMPT which kind of self-document that it must contain paths. In the case of ALLOWED_HOSTS_EXEMPT it's not clear that it's a paths exemption list; it sounds like an hosts exemption list.
comment:5 by , 6 years ago
| Easy pickings: | unset |
|---|---|
| Triage Stage: | Unreviewed → Someday/Maybe |
Proposals to add new settings must be made on the DevelopersMailingList.
comment:6 by , 6 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
The django-developers discussion didn't yield a consensus to add this.
https://github.com/django/django/pull/10383