django-on-heroku icon indicating copy to clipboard operation
django-on-heroku copied to clipboard

Published 20 hours ago verified publisher icon pkrefta

Possible security issue

Open x-yzt opened this issue 4 years ago • 1 comments

Without allowed_hosts=False, the ALLOWED_HOSTS setting is set to ['*']. I don't really know how does Heroku handles routing, but I suspect this might be a security issue (see the docs https://docs.djangoproject.com/en/3.1/topics/security/#host-headers-virtual-hosting).

It seems your fork is the most up-to-date as the moment, so I though I'll open an issue.

x-yzt avatar Oct 20 '20 21:10 x-yzt

Thanks for report. I'll take a look at this.

pkrefta avatar Nov 09 '20 16:11 pkrefta