django配置(setting)之ALLOWED_HOSTS

django官方文檔解釋:

ALLOWED_HOSTS? Default: [] (Empty list)A list of strings representing the host/domain names that this Django site can serve. This is a security measure to prevent HTTP Host header attacks, which are possible even under many seemingly-safe web server configurations.Values in this list can be fully qualified names (e.g. 'www.example.com'), in which case they will be matched against the request’s Host header exactly (case-insensitive, not including port). A value beginning with a period can be used as a subdomain wildcard: '.example.com' will match example.com, www.example.com, and any other subdomain of example.com. A value of '*' will match anything; in this case you are responsible to provide your own validation of the Host header (perhaps in a middleware; if so this middleware must be listed first in MIDDLEWARE).Django also allows the fully qualified domain name (FQDN) of any entries. Some browsers include a trailing dot in the Host header which Django strips when performing host validation.If the Host header (or X-Forwarded-Host if USE_X_FORWARDED_HOST is enabled) does not match any value in this list, the django.http.HttpRequest.get_host() method will raise SuspiciousOperation.When DEBUG is True and ALLOWED_HOSTS is empty, the host is validated against ['localhost', '127.0.0.1', '[::1]'].This validation only applies via get_host(); if your code accesses the Host header directly from request.META you are bypassing this security protection.Changed in Django 1.10.3: In older versions, ALLOWED_HOSTS wasn’t checked if DEBUG=True. This was also changed in Django 1.9.11 and 1.8.16 to prevent a DNS rebinding attack.

---

理解AllOWED_HOSTS

settings.py

• ALLOWED_HOSTS是配置在Django項目中的settings.py文件中的，Django設(shè)置文件包含Django安裝的所有配置。

注意: settings.py設(shè)置文件只是一個帶有模塊級別變量的Python模塊。

• 由于settings.py設(shè)置文件時Python模塊，因此以下內(nèi)容適用:
  • 它不允許Python語法錯誤。
  • 它可以使用普通的Python語法動態(tài)分配設(shè)置。例如: MY_SETTING = [str(i) for i in range(30)]。
  • 它可以從其他設(shè)置文件導(dǎo)入值。

ALLOWED_HOSTS的作用

• ALLOWED_HOSTS是為了限定請求中的host值，以防止黑客構(gòu)造包來發(fā)送請求。只有在列表中的host才能訪問。

注意：在這里本人強(qiáng)烈建議不要使用*通配符去配置，另外當(dāng)DEBUG設(shè)置為False的時候必須配置這個配置。否則會拋出異常。

ALLOWED_HOSTS的配置中文說明

• ALLOWED_HOSTS后面所跟的屬性值是一個字符串列表值，這個字符串列表值表示當(dāng)下這個Django站點(diǎn)可以提供的host/domain(主機(jī)/域名)。這是一種安全措施，通過使用偽造的HTTP主機(jī)標(biāo)頭提交請求來防止攻擊者中毒緩存并觸發(fā)帶有惡意主機(jī)鏈接的密碼重置電子郵件，即使在許多看似安全的Web服務(wù)器配置下也是如此。

總結(jié)

以上是生活随笔為你收集整理的django配置(setting)之ALLOWED_HOSTS的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。