flask icon indicating copy to clipboard operation
flask copied to clipboard
verified publisher icon pallets

docs: add warning and best practices for url_for(..., _external=True)…

Open ranveer9 opened this issue 8 months ago • 1 comments

Description of the Change

This pull request adds a warning and best practices to the Web Security documentation regarding the use of url_for(..., _external=True) without setting SERVER_NAME or trusted_hosts. The new section explains the risk of host header injection and provides recommendations for safer configuration. This aims to improve developer awareness and help prevent potential security vulnerabilities, as discussed in #5718.

How it Addresses the Issue

  • Documents the risk of host header injection when generating external URLs.
  • Recommends setting SERVER_NAME and using trusted_hosts.
  • References the ProxyFix documentation for further guidance.

Relevant Issue fixes #5718

ranveer9 avatar Apr 27 '25 08:04 ranveer9

Thanks for working on this! I really appreciate how clearly the risks and recommendations were described.

This patch aligns well with the concerns I originally raised in issue #5718, glad to see it resolved!

BrookeYangRui avatar May 02 '25 18:05 BrookeYangRui

Heads up, all this information is wrong in various ways. Do not use AI, especially in regards to information about security.

davidism avatar Aug 18 '25 18:08 davidism

https://github.com/pallets/flask/pull/5798

davidism avatar Aug 18 '25 18:08 davidism