Skip to content
unfault

python.django.allowed_hosts

Security High

Detects Django ALLOWED_HOSTS misconfiguration that can lead to host header attacks.

Why It Matters

Section titled “Why It Matters”

ALLOWED_HOSTS issues:

  • Host header attacks — Attackers can poison cache or redirect
  • Security bypass — Request forgery becomes possible
  • Email spoofing — Password reset emails sent to wrong domain

Example

Section titled “Example”
# ❌ Before (wildcard or missing)
ALLOWED_HOSTS = ['*']  # Accepts any host!
# or
ALLOWED_HOSTS = []  # Only works with DEBUG=True
# ✅ After (explicit hosts)
ALLOWED_HOSTS = [
    'example.com',
    'www.example.com',
    '.example.com',  # Subdomain wildcard is OK
]

What Unfault Detects

Section titled “What Unfault Detects”
  • ALLOWED_HOSTS = [’*’]
  • ALLOWED_HOSTS = [] in production
  • Missing ALLOWED_HOSTS setting

Auto-Fix

Section titled “Auto-Fix”

Unfault suggests explicit domain configuration.

Section titled “Related Rules”