First, I am not an expert in Django or with Heroku use. I have used both on a number of projects, though. I am concerned that django-heroku sets the ALLOWED_HOSTS setting to '*'. In the django docs, this is not secure due to the possibility of host header attacks. This is explained in two places-
I understand that this setting can be overwridden with allowed_hosts=False but out of the box I think it should avoid introducing any security flaws. Perhaps this is a non-issue, in which case I would love to understand the Heroku service more. To remedy this, I would be interested to know if Heroku provides any information about the url that can be levereged (like an environment variable). I will do some research on my own but I would be interested to see what the authors here have to say.
Hello,
First, I am not an expert in Django or with Heroku use. I have used both on a number of projects, though. I am concerned that django-heroku sets the
ALLOWED_HOSTS
setting to'*'
. In the django docs, this is not secure due to the possibility of host header attacks. This is explained in two places-Host Headers Virtual Hosting allowed hosts
I understand that this setting can be overwridden with
allowed_hosts=False
but out of the box I think it should avoid introducing any security flaws. Perhaps this is a non-issue, in which case I would love to understand the Heroku service more. To remedy this, I would be interested to know if Heroku provides any information about the url that can be levereged (like an environment variable). I will do some research on my own but I would be interested to see what the authors here have to say.