Security issue with ALLOWED_HOSTS

heroku / django-heroku

[DEPRECATED] Do not use! See https://github.com/heroku/django-heroku/issues/56

BSD 3-Clause "New" or "Revised" License

458 stars 141 forks source link

Security issue with ALLOWED_HOSTS #5

Closed wowkin2 closed 6 years ago

wowkin2 commented 6 years ago

I found that in core module: config['ALLOWED_HOSTS'] = ['*'] And that is not good for security. You should read domain info somewhere from Heroku or explicitly set from settings.py.

kennethreitz commented 6 years ago

no, this is fine on heroku. heroku only allows requests from allowed domains to your application.