CRE-2025-0031

Django returns DisallowedHost error for untrusted HTTP_HOST headersMedium

Impact: 5/10

Mitigation: 5/10

CRE-2025-0031View on GitHub

DjangoDisallowedhostConfigurationWebSecurityHost HeaderPublic

Description

Django applications may return a "DisallowedHost" error when receiving requests with an unrecognized or missing Host header. This typically occurs in production environments where reverse proxies, load balancers, or external clients send requests using an unexpected domain or IP address. Django blocks these requests unless the domain is explicitly listed in `ALLOWED_HOSTS`.

Cause

The error is raised when the HTTP request contains a Host header not present in the Django `ALLOWED_HOSTS` setting. This is a security measure to prevent HTTP Host header attacks and request spoofing.

Mitigation

• Add the incoming domain, IP address, or wildcard pattern to `ALLOWED_HOSTS` in your Django settings.
• For example:

ALLOWED_HOSTS = ['example.com', 'www.example.com', '127.0.0.1'] 

• During development, you can use:

ALLOWED_HOSTS = ['*']\  

• Note: This is insecure for production.
• For applications behind a load balancer or ingress, ensure it forwards the correct Host header.\

"

References

• https://docs.djangoproject.com/en/stable/ref/settings/#allowed-hosts
• https://stackoverflow.com/questions/40582423/how-to-fix-django-error-disallowedhost-at-invalid-http-host-header-you-m
• https://docs.djangoproject.com/en/stable/topics/security/#host-header-validation