Update security docs re HOST header and ALLOWED_HOSTS?

Skip to first unread message

Michael Lissner

May 12, 2022, 3:11:00 PMMay 12
to Django developers (Contributions to Django itself)
There's a vague warning in the security docs that says:

> many common web servers [have] a configuration that seems to validate the
> Host header [that] may not in fact do so. For instance, even if Apache is
> configured such that your Django site is served from a non-default virtual host
> with the ServerName set, it is still possible for an HTTP request to match this
> virtual host and supply a fake Host header.

Does anybody know if this applies to any other server? The way it causes problems in Apache is very specific, and should be really really uncommon since the web has moved to HTTPS by default. (If the HOST header on the request doesn't match a named virtual host in Apache, and it doesn't match a host via SSL's Server Name Indication (SNI), Apache forwards the request to the first named virtual host).

If there's no other server we know of that this impacts, I'd suggest we tighten this warning to explain that it only applies to Apache without SSL, or maybe we even remove this warning altogether?

I spent some time today researching this because I wanted to make sure the issue didn't apply to the server I'm using (AWS ELB — It doesn't). It's always good to clean up old warnings if we can.



Reply all
Reply to author
0 new messages