id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35458	Docs: clarify need for ALLOWED_HOSTS	Klaas van Schelven	nobody	"I understand why [https://security.stackexchange.com/questions/45687/what-does-djangos-allowed-hosts-variable-actually-do validation of the host header is important] but I do not understand why this would be the responsibility of Django.

The [https://docs.djangoproject.com/en/5.0/ref/settings/#allowed-hosts docs for the settings] mysteriously mention

> which are possible even under many seemingly-safe web server configurations.

and the [https://docs.djangoproject.com/en/5.0/topics/security/#host-headers-virtual-hosting docs for the host header validation] mention something similar:

> Because even seemingly-secure web server configurations are susceptible to fake Host headers

and 

> Previous versions of this document recommended configuring your web server to ensure it validates incoming HTTP Host headers. While this is still recommended, in many common web servers a configuration that seems to validate the Host header may not in fact do so. For instance, even if Apache [..]

However, these notes were added in 2013, when Apache still reigned supreme (moreover: a very different version, possibly with less sane defaults, of Apache). These days there are many more ways Django is deployed, not least of which cloud-based ones in which the passing of sane (actually checked) host headers is left up to some web-facing proxy / webserver in front of Django.

In 2024, is there still any reason to fear these ""many"" (undocumented) ""seemingly-safe server configurations"" or can I just use a sane proxy server and let that do the validation instead? Setting `ALLOWED_HOSTS` to `[""*""]` removes one more thing to think about while deploying.

In the context of a bug report (and not just a question): the documentation should clarify what the actual wrong configurations would be, it should be mentioned as ""defense in depth"" rather than a first line of defense or the whole idea of ALLOWED_HOSTS checking should be removed.

[https://stackoverflow.com/q/78476951/339144 Previously asked on StackOverflow in slightly different words]"	Uncategorized	closed	Documentation	5.0	Normal	needsinfo			Unreviewed	0	0	0	0	0	0