Thanks Alasdair, that's really useful. I'm using v1.6.X in production, which makes sense based on your email.
Alex. On 22/12/14 13:58, Alasdair Nicol wrote: > Hi Alex, > > There is no security implication adding 'example.com.' (with trailing > dot) to your ALLOWED_HOSTS setting. There is some more information in > the ALLOWED_HOSTS setting docs. > > From https://docs.djangoproject.com/en/1.7/ref/settings/#allowed-hosts > >> In previous [<= 1.6.X] versions of Django, if you wanted to also >> allow the fully qualified domain name (FQDN), which some browsers >> can send inthe Host header, you had to explicitly add another >> ALLOWED_HOSTS entry that included a trailing period. > >> In Django 1.7, the trailing dot is stripped when performing host >> validation, thus an entry with a trailing dot isn’t required. > > cheers, > Alasdair > > > > On 22/12/14 12:05, Alex Haylock wrote: >> Thanks Markus. >> >> So, as per the RFC, are 'example.com' and 'example.com.' considered to >> be the same domain, or two separate domains? >> >> Are there any security implications if I add 'example.com.' to >> ALLOWED_HOSTS to cater for these requests? >> >> Thanks, >> >> Alex. >> >> On 22/12/14 11:52, Markus Holtermann wrote: >>> Hey Alex, >>> >>> a trailing . in the host header is valid per RFC 3986: >>> http://tools.ietf.org/html/rfc3986#section-3.2.2: >>> >>> The rightmost domain label of a fully qualified domain name in DNS >>> may be followed by a single "." >>> >>> >>> /Markus >>> >>> On Monday, December 22, 2014 12:44:25 PM UTC+1, Alex Haylock wrote: >>> >>> Are there any known attack vectors that involve appending a period/ >>> full-stop to a sites domain name? >>> >>> My Django application throws a handful of errors in production >>> every >>> day: >>> >>> ERROR: Invalid HTTP_HOST header: 'www.example.com.'. You may >>> need to >>> add >>> u'www.example.com <http://www.example.com>.' to ALLOWED_HOSTS. >>> >>> (note the trailing period) >>> >>> Is this malicious behaviour, or just users mistyping the URL? >>> >>> Also, browsers are clearly treating the final '.' as part of the >>> path >>> (as these requests are reaching my application), but Django is >>> treating >>> the '.' as part of the hostname. Which is right? >>> >>> -- >>> Regards, >>> >>> >>> Alex >>> >> > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/54982E97.3040803%40mykolab.com. For more options, visit https://groups.google.com/d/optout.
