CRE-2025-0031

Django returns DisallowedHost error for untrusted HTTP_HOST headersMedium

Impact: 5/10

Mitigation: 5/10

CRE-2025-0031View on GitHub

DjangoDisallowedhostConfigurationWebSecurityHost HeaderPublic

Description

Django applications may return a "DisallowedHost" error when receiving requests with an unrecognized or missing Host header. This typically occurs in production environments where reverse proxies, load balancers, or external clients send requests using an unexpected domain or IP address. Django blocks these requests unless the domain is explicitly listed in `ALLOWED_HOSTS`.

Mitigation

- Add the incoming domain, IP address, or wildcard pattern to `ALLOWED_HOSTS` in your Django settings. - For example: ```python ALLOWED_HOSTS = ['example.com', 'www.example.com', '127.0.0.1'] ``` - During development, you can use: ```python ALLOWED_HOSTS = ['*']\n ```\n - Note: This is insecure for production. - For applications behind a load balancer or ingress, ensure it forwards the correct Host header.\n"

References

• https://docs.djangoproject.com/en/stable/ref/settings/#allowed-hosts
• https://stackoverflow.com/questions/40582423/how-to-fix-django-error-disallowedhost-at-invalid-http-host-header-you-m
• https://docs.djangoproject.com/en/stable/topics/security/#host-header-validation