Thanks Markus. So, as per the RFC, are 'example.com' and 'example.com.' considered to be the same domain, or two separate domains?
Are there any security implications if I add 'example.com.' to ALLOWED_HOSTS to cater for these requests? Thanks, Alex. On 22/12/14 11:52, Markus Holtermann wrote: > Hey Alex, > > a trailing . in the host header is valid per RFC 3986: > http://tools.ietf.org/html/rfc3986#section-3.2.2: > > The rightmost domain label of a fully qualified domain name in DNS > may be followed by a single "." > > > /Markus > > On Monday, December 22, 2014 12:44:25 PM UTC+1, Alex Haylock wrote: > > Are there any known attack vectors that involve appending a period/ > full-stop to a sites domain name? > > My Django application throws a handful of errors in production every > day: > > ERROR: Invalid HTTP_HOST header: 'www.example.com.'. You may need to > add > u'www.example.com <http://www.example.com>.' to ALLOWED_HOSTS. > > (note the trailing period) > > Is this malicious behaviour, or just users mistyping the URL? > > Also, browsers are clearly treating the final '.' as part of the path > (as these requests are reaching my application), but Django is treating > the '.' as part of the hostname. Which is right? > > -- > Regards, > > > Alex > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/549808F9.4010607%40mykolab.com. For more options, visit https://groups.google.com/d/optout.
