4

I am using Django 1.5, and I am aware of the security issue requiring the ALLOWED_HOSTS argument to include the host. The site is hosted on webfaction.

When I set my production site to DEBUG = False, I get 500 errors for every page. The error I get is:

SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): www.mydomain.org

But in settings.py, I have the following:

ALLOWED_HOSTS = ['.mydomain.org']

This is making me crazy. Any ideas?

Edit: This does not seem to be related to header spoofing as in this post. My settings match the allowed host that appears in the error message.

Update with solution: I am embarrassed to say that I had a second ALLOWED_HOSTS = [ ] declaration later in my settings.py file. This was overriding my previous declaration and causing the problem.

Eje
  • 354
  • 4
  • 8
Andrew Barr
  • 3,589
  • 4
  • 18
  • 28

2 Answers2

4

Maybe you just have to put your domain formatted with a full domain name like :

ALLOWED_HOSTS = ['www.mydomain.org']

This worked for me (no more 500 errors)

make sure you access your prod application via www.mydomain.org

utopman
  • 581
  • 4
  • 13
0

This Stackoverflow question will help you:

Django's SuspiciousOperation Invalid HTTP_HOST header

There's a ticket opened regarding this matter:

https://code.djangoproject.com/ticket/19866

Community
  • 1
  • 1
Joyfulgrind
  • 2,762
  • 8
  • 34
  • 41
  • This seems to be about cases in which the 'HTTP_HOST' header doesn't match the ALLOWED_HOSTS setting, but in my case it does. – Andrew Barr Sep 01 '13 at 15:30