0
0
Djangoframework~10 mins

ALLOWED_HOSTS configuration in Django - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - ALLOWED_HOSTS configuration
Start Django Server
Receive HTTP Request
Check Host Header
Is Host in ALLOWED_HOSTS?
NoReject Request with 400
Yes
Process Request Normally
Send Response
Django checks the Host header of incoming requests against ALLOWED_HOSTS. If it matches, the request proceeds; otherwise, Django rejects it.
Execution Sample
Django
ALLOWED_HOSTS = ['example.com', 'localhost']

# Incoming request with Host: 'example.com'
# Django checks if 'example.com' is in ALLOWED_HOSTS
# Request allowed and processed
This code shows Django allowing requests only from specified hosts.
Execution Table
StepIncoming Request HostCheck Host in ALLOWED_HOSTSResultAction Taken
1'example.com'YesAllowedProcess request normally
2'localhost'YesAllowedProcess request normally
3'malicious.com'NoRejectedReturn 400 Bad Request
💡 Requests with hosts not in ALLOWED_HOSTS are rejected to prevent host header attacks.
Variable Tracker
VariableStartRequest 1Request 2Request 3
ALLOWED_HOSTS['example.com', 'localhost']['example.com', 'localhost']['example.com', 'localhost']['example.com', 'localhost']
Request HostN/A'example.com''localhost''malicious.com'
Host Allowed?N/ATrueTrueFalse
Key Moments - 2 Insights
Why does Django reject requests with hosts not in ALLOWED_HOSTS?
Django rejects such requests to protect your app from host header attacks, as shown in execution_table row 3 where 'malicious.com' is not allowed.
What happens if ALLOWED_HOSTS is empty?
If ALLOWED_HOSTS is empty, Django rejects all requests except when DEBUG=True, preventing any host from accessing the app.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what action does Django take when the request host is 'localhost'?
ARejects the request with 400
BRedirects to another host
CProcesses the request normally
DLogs an error but processes the request
💡 Hint
Check execution_table row 2 under 'Action Taken'
At which step does Django reject the request due to host not being allowed?
AStep 1
BStep 3
CStep 2
DNo rejection occurs
💡 Hint
Look at execution_table row 3 under 'Result' and 'Action Taken'
If you add 'myapp.com' to ALLOWED_HOSTS, what changes in variable_tracker for a request with host 'myapp.com'?
AHost Allowed? becomes True for 'myapp.com'
BRequest Host changes to 'example.com'
CALLOWED_HOSTS becomes empty
DNo change occurs
💡 Hint
Refer to variable_tracker row 'Host Allowed?' and how it depends on ALLOWED_HOSTS
Concept Snapshot
ALLOWED_HOSTS is a list of allowed domain names for your Django app.
Django checks incoming request Host headers against this list.
If the host is not in ALLOWED_HOSTS, Django returns a 400 error.
Set ALLOWED_HOSTS to your domain names to protect your app.
Use ['localhost'] for local development.
Empty ALLOWED_HOSTS blocks all hosts unless DEBUG=True.
Full Transcript
In Django, the ALLOWED_HOSTS setting is a list of domain names your app accepts requests from. When a request comes in, Django looks at the Host header and checks if it matches any name in ALLOWED_HOSTS. If it does, Django processes the request normally. If not, Django rejects the request with a 400 Bad Request error to protect your app from attacks. For example, if ALLOWED_HOSTS contains 'example.com' and 'localhost', requests with those hosts are allowed, but a request with 'malicious.com' is rejected. If ALLOWED_HOSTS is empty, Django blocks all hosts unless you are in debug mode. This setting helps keep your app safe by only accepting requests from trusted domains.