How to disable Django's invalid HTTP_HOST error?

Asked 13/8, 2013 at 22:47 Answered 10/1, 2022 at 12:31

Ever since I deployed a site running Django 1.7 alpha (checked out from Git), I've been occasionally receiving error messages with titles like:

"Invalid HTTP_HOST header: 'xxx.xxx.com'"

I realize that this is due to the Host: HTTP header being set to a hostname not listed in ALLOWED_HOSTS. However, I have no control over when and how often someone sends a request to the server with a forged hostname. Therefore I do not need a bunch of error emails letting me know that someone else is attempting to do something fishy.

Is there any way to disable this error message? The logging settings for the project look like this:

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'filters': {
        'require_debug_false': {
            '()': 'django.utils.log.RequireDebugFalse'
        }
    },
    'handlers': {
        'mail_admins': {
            'level': 'ERROR',
            'filters': ['require_debug_false'],
            'class': 'django.utils.log.AdminEmailHandler'
        }
    },
    'loggers': {
        'django.request': {
            'handlers': ['mail_admins'],
            'level': 'ERROR',
            'propagate': True,
        },
    }
}

Gratianna answered 13/8, 2013 at 22:47 Comment(8)

Why are you using an alpha version in production? – Matrilateral 13/9, 2013 at 16:52

@Burhan: because a couple of important bugs were fixed after the latest stable release. – Gratianna 13/9, 2013 at 16:57

How are you hosting it (e.g. WSGI through Apache)? I'd be a big fan of trying to figure out how to block this before it hit Django – Wonderwork 13/9, 2013 at 17:0

@Foon: Apache via mod_wsgi. – Gratianna 13/9, 2013 at 17:1

I agree with @Foon. You shouldn't be ignoring this error. You should be blocking requests with invalid headers before they reach Django. – Officialism 13/9, 2013 at 17:28

@Mark: oh now I see what you're saying. Apache shouldn't be passing the request along with the wrong hostname. – Gratianna 13/9, 2013 at 17:31

I think the best way to work with http requests is middleware... try to catch it there – Variable 17/9, 2013 at 10:19

Does anyone know the name for this attack or why it would ever matter if someone manages to query your site with a hostname that you did not intend? I mean, because they are doing it, I assume there has to be some vulnerability, but it's not obvious to me what it could be. – Brio 8/8, 2018 at 14:25

You shouldn't be ignoring this error. Instead you should be denying the request before it reaches your Django backend. To deny requests with no HOST set you can use

SetEnvIfNoCase Host .+ VALID_HOST
Order Deny,Allow
Deny from All
Allow from env=VALID_HOST

or force the match to a particular domain (example.com)

SetEnvIfNoCase Host example\.com VALID_HOST
Order Deny,Allow
Deny from All
Allow from env=VALID_HOST

Officialism answered 13/9, 2013 at 17:33 Comment(14)

That is, you're using Apache only. Of you use nginx to forward requests, refer to this answer: https://mcmap.net/q/203553/-django-39-s-suspiciousoperation-invalid-http_host-header – Haematogenous 20/9, 2013 at 12:31

Mark -what do I need to enable to get this behavior you show above? also what config file would this go into if I'm using traditional apache 2.x ? – Outstation 18/1, 2014 at 20:36

You need mod_setenvif enabled. This would go either in httpd.conf or where your virtual host for the domain is defined. – Officialism 18/1, 2014 at 23:45

The information about how to do this in the Apache configuration is useful to me. But I am missing information about why it is I must do this in the Apache configuration. Why can't django be trusted to deny the requests? – Scarabaeoid 7/9, 2014 at 8:22

@Scarabaeoid Django will deny the request but depending on your logging setting you may get an email each time. This is what the question wanted to avoid. Denying the request earlier (Apache/Nginx/etc) is still recommended docs.djangoproject.com/en/1.7/topics/security/… – Officialism 7/9, 2014 at 13:4

I have tested this approach, and there is one case that I simply cannot get to work correctly. Sending an HTTP/1.0 request with no host header is perfectly valid, and django can handle such a request without problems. Sending a request with a host header containing the empty string is however not accepted by django, and produce an error. So I am trying to distinguish those two cases because django can handle one and not the other. But I simply cannot get apache to distinguish them because referring an absent header field appears to always produce an empty string. – Scarabaeoid 27/9, 2014 at 23:43

Is an empty header field a real use case? In other words, do some crawlers or browsers not set this header? This question is not suggestive ... I really do not know. – Bak 5/1, 2015 at 6:49

The header is required in HTTP 1.1 but you can't control what values the client will put in it. Validating the header isn't about handling well behaved clients, it's about handling misbehaved and potentially malicious clients. It isn't consistent how a blank host is handled curl -v --header "Host: " http://example.com returns a 400 and curl -v --header "Host: " http://google.com returns a 200. – Officialism 5/1, 2015 at 13:50

Adding this code to my virtualhost file results in errors like, "Order not allowed here" or "Deny not allowed here." – Coussoule 30/3, 2015 at 15:42

@Coussoule : you can put the code in your virtualhost configuration inside a new <Directory / > </Directory> directive. – Himyaritic 15/4, 2015 at 7:59

You should also provided where to exactly put this configuration, for someone who is new to Apache, this would be helpful. – Brassard 6/2, 2017 at 7:16

It seems in Apache 2.4 we should use Require directives instead of Order, Deny and Allow: Apache 2.4 docs – Taxicab 8/2, 2020 at 18:11

How do you modify this for a list of valid hosts, not just a single one? – Brio 18/3, 2022 at 13:33

Can someone clarify where exactly this goes? Do we create a file in virtualenv/domain-example.com called httpd.conf? – Salvage 17/5, 2023 at 11:35

You can add this to the loggers section of your logging configuration:

    'django.security.DisallowedHost': {
        'handlers': ['mail_admins'],
        'level': 'CRITICAL',
        'propagate': False,
    },

This sets the logging threshold to above the ERROR level that Django uses when a SuspiciousOperation is detected.

Alternatively, you can use e.g. a FileHandler to log these events without emailing them to you. For example, to use a dedicated file just for these specific events, you could add this to the handlers section:

    'spoof_logfile': {
        'level': 'ERROR',
        'class': 'logging.FileHandler',
        'filename': '/path/to/spoofed_requests.log',
    },

and then use this in the loggers section:

    'django.security.DisallowedHost': {
        'handlers': ['spoof_logfile'],
        'level': 'ERROR',
        'propagate': False,
    },

Note that the suggestion made in the Django docs, to use

    'django.security.DisallowedHost': {
        'handlers': ['null'],
        'propagate': False,
    },

depends on you running Python 2.7 or later - on 2.6, logging doesn't have a NullHandler.

Pelorus answered 13/9, 2013 at 16:50 Comment(0)

Using Apache 2.4, there's no need to use mod_setenvif. The HTTP_HOST is already a variable and can be evaluated directly:

WSGIScriptAlias / /path/to/wsgi.py

<Directory /path/to>
    <Files wsgi.py>
        Require expr %{HTTP_HOST} == "example.com"
    </Files>
</Directory>

Wendolyn answered 10/4, 2017 at 12:24 Comment(1)

This seems to work well. Warning if you want to support 'www', you'll need additional logic ex. Require expr %{HTTP_HOST} == "example.com" || %{HTTP_HOST} == "www.example.com" – Baryta 9/10, 2023 at 19:34

Here's NGINX example that should prevent your django from receiving rubbish requests.

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 ssl default_server;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    return 444;
}


server {
    listen 80;
    # This will keep Django from receiving request with invalid host
    server_name <SERVER_IP> your.domain.com;
    ...

Schulz answered 27/2, 2015 at 11:4 Comment(5)

The official docs (nginx.org/en/docs/http/…) recommend returning a 444 status code in this situation. – Essary 22/5, 2017 at 6:22

Also, it should be default_server not default (same link as above for reference), at least as of today :) – Essary 22/5, 2017 at 6:23

If using HTTPS, don't forget to repeat the same server block as above, except with port 443 and the ssl certificate specified. Just wasted an hour trying to figure out why I kept getting the error message. – Archdiocese 7/8, 2020 at 16:20

Added HTTPS section in answer. – Sedimentation 29/9, 2021 at 6:53

you could add the ipv6 catching syntax for ssl connection as well – Jolie 18/11, 2022 at 2:16

The django docs address this specifically. They recommend putting this in your logging settings

LOGGING = {
    # ...
    "handlers": {
        # ...
        "null": {
            "class": "logging.NullHandler",
        },
    },
    "loggers": {
        # ...
        "django.security.DisallowedHost": {
            "handlers": ["null"],
            "propagate": False,
        },
    },
}

Additionally, if you are using Sentry, you need to add this to prevent Sentry from picking it up:

from sentry_sdk.integrations.logging import ignore_logger
ignore_logger("django.security.DisallowedHost")

Henceforth answered 10/9, 2020 at 19:58 Comment(8)

wont it block email error alerts too? They stopped working for me – Vicariate 14/1, 2021 at 20:35

@Vicariate the goal of this answer is to disable all error logging of disallowed hosts (including email) – Henceforth 14/1, 2021 at 21:38

For me: The internal server error emails also got blocked after this – Vicariate 15/1, 2021 at 9:40

@Vicariate Django logging lets you configure how errors of different types get handled. If you haven't set up any other loggers, add a default logger like so: https://mcmap.net/q/206257/-django-setup-default-logging – Henceforth 15/1, 2021 at 15:2

Got it, Thanks a lot for answering in comments – Vicariate 15/1, 2021 at 21:0

Very helpful answer, thanks - just a quick note that I also needed to provide a 'version' key in the dict as well. – Miserable 21/3, 2021 at 18:46

don't set handler to "null" it will cause error, use "handlers": [], instead – Fy 26/12, 2022 at 8:20

@LinhNguyen Did you add the config defining the "null" handler? – Henceforth 4/1, 2023 at 17:37

you could silence that particular SuspiciousOperation with something like

'loggers': {
    'django.security.DisallowedHost': {
        'handlers': ['null'],
        'propagate': False,
   },

see this for more reference https://docs.djangoproject.com/en/dev/topics/logging/#django-security

EDIT

you also need to add a 'null' handler:

'handlers': {
    'null': {
        'level': 'DEBUG',
        'class': 'logging.NullHandler',
    },
}

probably you only need to add this and modify the level of error (replacing DEBUG with 'ERROR').

as always refer to the the documentation for the complete syntax and semantic.

Protagonist answered 13/8, 2013 at 22:55 Comment(3)

This doesn't seem to work. I get an error from mod_wsgi: "ValueError: Unable to configure logger 'django.security.DisallowedHost': Unable to add handler 'null': 'null'" – Gratianna 23/8, 2013 at 6:21

do you have an handler named 'null' as the documentation says? I'll modify my answer to point to an example. – Protagonist 24/8, 2013 at 15:46

It's still not working. Here is the exact logging configuration I am using: quickmediasolutions.com/pastebin/15/… – Gratianna 3/9, 2013 at 5:4

Another way to block requests with an invalid Host header before it reaches Django is to use a default Apache config with a <VirtualHost> that does nothing but return a 404.

<VirtualHost *:80>
</VirtualHost>

If you define this as your first virtual host (e.g. in 000-default.conf) and then follow it with your 'real' <VirtualHost>, complete with a <ServerName> and any <ServerAlias> entries that you want to match, Apache will return a 404 for any requests with a Host header that does not match <ServerName> or one of your <ServerAlias> entries. The key it to make sure that the default, 404 <VirtualHost> is defined first, either by filename ('000') or the first entry in your config file.

I like this better than the popular solution above because it is very explicit and easy to extend.

Linchpin answered 12/5, 2015 at 0:7 Comment(1)

This doesn't return a 404 for me, but just gives access to everything in the default document root, listing files etc. Isn't there a specific 404 response directive needed to make it more secure? – Barbra 24/5, 2018 at 21:52

I can't comment yet, but since Order Deny, Allow is deprecated, the way to do this in a virtual host with the current Require directive is:

<Directory /var/www/html/>
    SetEnvIfNoCase Host example\.com VALID_HOST
    Require env VALID_HOST
    Options
</Directory>

Hienhieracosphinx answered 4/10, 2016 at 22:17 Comment(0)

The other answers on this page are correct if you're simply looking to hide or disable the warning. If you're intentionally allowing every hostname the special value of * can be used as the ALLOWED_HOSTS setting.

Note: This may introduce security vulnerabilities.

Django uses the Host header provided by the client to construct URLs in certain cases. While these values are sanitized to prevent Cross Site Scripting attacks, a fake Host value can be used for Cross-Site Request Forgery, cache poisoning attacks, and poisoning links in emails.

Because even seemingly-secure web server configurations are susceptible to fake Host headers, Django validates Host headers against the ALLOWED_HOSTS setting in the django.http.HttpRequest.get_host() method.

To prevent hostname checking entirely, add the following line to your settings.py:

ALLOWED_HOSTS = ['*']

Source: https://github.com/django/django/blob/33c365781abbcc1b21a31b31d95d344a174df0d5/django/http/request.py#L653-L668

def validate_host(host, allowed_hosts):
    """
    Validate the given host for this site.

    Check that the host looks valid and matches a host or host pattern in the
    given list of ``allowed_hosts``. Any pattern beginning with a period
    matches a domain and all its subdomains (e.g. ``.example.com`` matches
    ``example.com`` and any subdomain), ``*`` matches anything, and anything
    else must match exactly.

    Note: This function assumes that the given host is lowercased and has
    already had the port, if any, stripped off.

    Return ``True`` for a valid host, ``False`` otherwise.
    """
    return any(pattern == '*' or is_same_domain(host, pattern) for pattern in allowed_hosts)

Cecilius answered 28/1, 2017 at 14:40 Comment(2)

This answer should include a caveat that it introduces potential security vulnerabilities – Anneal 15/7, 2020 at 16:20

@Anneal I've added a warning including the official documentation about potential security issues – Cecilius 15/7, 2020 at 20:26

for multiple valid hosts you can:

SetEnvIfNoCase Host example\.com VALID_HOST
SetEnvIfNoCase Host example2\.com VALID_HOST
SetEnvIfNoCase Host example3\.com VALID_HOST
Require env VALID_HOST

Quintessence answered 1/5, 2017 at 11:40 Comment(0)

Here's NGINX block needed to prevent your django from receiving such requests.

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 ssl default_server;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    return 444;
}

Sedimentation answered 24/9, 2021 at 21:14 Comment(1)

you could add the ipv6 for ssl connection as well – Jolie 17/11, 2022 at 12:6

Also to handle the below error through Apache:

Invalid HTTP_HOST header: '_my.domain.com'. The domain name provided is not valid according to RFC 1034/1035.

We can use regex, ^[^_]+ would match a string of 1 or more character containing any character except underscore in the subdomain as in the below case.

We can apply it to wsgi.py file

<VirtualHost xxx.xxx.xxx.xxx:XX>
    ...

    SetEnvIfNoCase Host "^[^_]+\.my-domain\.com" VALID_HOST
    <Files wsgi.py>
        <RequireAll>
            Require all granted
            Require env VALID_HOST
        </RequireAll>
    </Files>
    
    ...
</VirtualHost>

With Require expr:

<VirtualHost xxx.xxx.xxx.xxx:XX>
    ...


    <Files wsgi.py>

        Require expr %{HTTP_HOST} =~ m#^[^_]+\.my-domain\.com#

    </Files>


    ...

</VirtualHost>

Or we can use <Location "/">, which is an easy way to apply a configuration to the entire server.

<VirtualHost xxx.xxx.xxx.xxx:XX>
    ...

    SetEnvIfNoCase Host "^[^_]+\.my-domain\.com" VALID_HOST
    <Location />
        <RequireAll>
            Require all granted
            Require env VALID_HOST
        </RequireAll>
    </Location>
    
    ...
</VirtualHost>

From Apache docs:

When to use <Location "/">

Use <Location> to apply directives to content that lives outside the filesystem. For content that lives in the filesystem, use and . An exception is <Location "/">, which is an easy way to apply a configuration to the entire server.

The answer is based on Apache Module mod_setenvif and how to block persistent requests from a particular robot.

Lurlene answered 10/1, 2022 at 12:31 Comment(0)

In setting.py set:

ALLOWED_HOSTS = ['yourweb.com']

Obtect answered 29/11, 2016 at 13:17 Comment(1)

This does not actually solve the issue presented by the OP. As the OP has stated: "However, I have no control over when and how often someone sends a request to the server with a forged hostname." The problem is that every time a forged hostname goes through, the OP gets notified in a cumbersome way (email). What the OP wants is to get notifications that are not so invasive. Editing ALLOWED_HOSTS is not the solution here. – Lasky 29/11, 2016 at 13:21

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags