Hey Alex, a trailing . in the host header is valid per RFC 3986: http://tools.ietf.org/html/rfc3986#section-3.2.2:
The rightmost domain label of a fully qualified domain name in DNS may be > followed by a single "." /Markus On Monday, December 22, 2014 12:44:25 PM UTC+1, Alex Haylock wrote: > > Are there any known attack vectors that involve appending a period/ > full-stop to a sites domain name? > > My Django application throws a handful of errors in production every day: > > ERROR: Invalid HTTP_HOST header: 'www.example.com.'. You may need to add > u'www.example.com.' to ALLOWED_HOSTS. > > (note the trailing period) > > Is this malicious behaviour, or just users mistyping the URL? > > Also, browsers are clearly treating the final '.' as part of the path > (as these requests are reaching my application), but Django is treating > the '.' as part of the hostname. Which is right? > > -- > Regards, > > > Alex > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/0ff75680-cdc4-49d8-8bdd-c4d727213921%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
