1

I'm trying to implement a RESTful API in Django such that any ip could query the endpoints. However, I'm concerned about header attacks if I were to set ALLOWED_HOSTS = ['*'].

I read an answer to Why is Django throwing error "DisallowedHost at /"? which suggests that api calls should be responded to, not for by the server.

I don't full comprehend what they mean or how to implement it and am looking for suggestions.

Ultimately, I want to know how can I make an api call which is not blocked by django because it is not in ALLOWED_HOSTS?

jgoods
  • 13
  • 1
  • 5
  • `ALLOWED_HOSTS` is a setting for the Django development server. You do not run a production API on the development server. Use a proper WSGI setup instead. – Klaus D. Sep 09 '17 at 04:33

3 Answers3

1

ALLOWED_HOSTS has nothing to do with your API calls in any way. It's the list of hostnames your server should respond for, not to

Hisagr
  • 601
  • 6
  • 13
  • Your response is the portion that is confusing. Responding for vs to" I under the meaning, but not the implementation or what causes one vs another. My apologies call is setup through Django restframework and auth token. If I curl the server at the endpoint, it gives me this allowed sites error. – jgoods Sep 09 '17 at 20:43
0

The problem you are having is not anything to do with ALLOWED_HOSTS, and everything to do with CSRF protection. You have two options. You can disable cross site request forgery protection on the page by using either

@method_decorator(csrf_exempt, name=dispatch)

above your class in django >= 1.9, or decorating the dispatch method in previous versions of django, such as this:

class myView(View):
    @method_decorator(csrf_exempt)
    def dispatch(self, request, *args, **kwargs):
        return super(myView, self).dispatch(request, *args, **kwargs)

If you are concerned about who can gain access though, you will need to look into other authentication methods, such as token based authentication, so that only sites passing the proper token can get access.

PoDuck
  • 1,381
  • 15
  • 38
  • When I curl the server it goes through nginx and is routed to Django. It specifically says it needs to be added to the allowed host. I'm simply using apiview for my class and am not sure the decorator should fix the issue. I can try and get back to you. I am currently using Django auth token – jgoods Sep 09 '17 at 20:40
  • Have you tried to add 127.0.0.1 or the hostname you use to access it. – PoDuck Sep 09 '17 at 20:45
  • It is possible you need both, although I've never seen that. – PoDuck Sep 09 '17 at 20:46
  • I had to add the IP address of the device making the curl command, which defeats the purpose of an open api. – jgoods Sep 09 '17 at 21:07
  • Still not a solution though. – jgoods Sep 09 '17 at 21:54
  • That's why I don't understand how it can be an "ALLOWED_HOSTS" issue. What django does is make sure that the requested domain is in the ALLOWED_HOSTS to ensure that there is not someone in the middle. Unless the machine running curl is using a misconfigured proxy server, then there should be no issues. I am still inclined to believe it is a CSRF issue. Putting your machine in the ALLOWED_HOSTS is simply overriding the real problem. – PoDuck Sep 10 '17 at 00:14
  • Have you tried making the page CSRF exempt as I showed above, and checked if that allows you access? – PoDuck Sep 10 '17 at 00:16
  • I think you may have solved my issue. I was currently testing the site locally and was issuing curl commands from a private vpc which required knowing the locals IP. I have a feeling if I add the local systems IP to the `ALLOWED_HOSTS` it will work. – jgoods Sep 10 '17 at 00:21
  • Let me know. It seems like this problem should not be this difficult to figure out. I'll stick with you till you figure it out. – PoDuck Sep 10 '17 at 00:23
  • Success, thanks! Wrote a script for local debugging which will add the IP of necessary. – jgoods Sep 10 '17 at 00:33
0

ALLOWED_HOSTS are list of strings or regular expressions representing the host/domain names that this Django site can serve. You need to use Token, JWT or any other Authentication methods for preventing you APIs.

shashank
  • 1,133
  • 2
  • 10
  • 24
  • 1
    I am using Django token auth, but when I use a curl the apiview, it gets rejected by not being an allowed host. This maybe because the command is being routed through nginx? – jgoods Sep 09 '17 at 20:37