list should contain fully qualified host names, not urls. Leave out the port and the protocol. If you are using
, I would add localhost
to the list too:
ALLOWED_HOSTS = ['', 'localhost']
You could also use *
to match any host:
Quoting the documentation:
Values in this list can be fully qualified names (e.g.
), in which case they will be matched against the requestβsHost
header exactly (case-insensitive, not including port). A value beginning with a period can be used as a subdomain wildcard:'.example.com'
will matchexample.com
, and any other subdomain ofexample.com
. A value of'*'
will match anything; in this case you are responsible to provide your own validation of theHost
header (perhaps in a middleware; if so this middleware must be listed first inMIDDLEWARE_CLASSES
Bold emphasis mine.
The status 400 response you get is due to a SuspiciousOperation
exception being raised when your host header doesnβt match any values in that list.
I had the same problem and none of the answers resolved my problem. For resolving situations like this, itβs best to enable logging by adding the following config to settings.py
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'file': {
'level': 'DEBUG',
'class': 'logging.FileHandler',
'filename': '/tmp/debug.log',
'loggers': {
'django': {
'handlers': ['file'],
'level': 'DEBUG',
'propagate': True,
When you see the issue, itβs easier to handle than by blind debugging.
My issue was:
Invalid HTTP_HOST header: βpt_web:8000β. The domain name provided is not valid according to RFC 1034/1035.
I resolved it by adding proxy_set_header Host $host;
to the Nginx config file and enabling port forwarding with USE_X_FORWARDED_PORT = True
in the settings.py
(itβs because in my case I was listening to requests on Nginx port 8080
and passing to guni
on port 8000
- [Django]-Django 2.0 β Not a valid view function or pattern name (Customizing Auth views)
- [Django]-Django: Multiple forms possible when using FormView?
- [Django]-Django models: mutual references between two classes and impossibility to use forward declaration in python
For me, I got this error by not setting USE_X_FORWARDED_HOST
to true. From the docs:
This should only be enabled if a proxy which sets this header is in use.
My hosting service wrote explicitly in their documentation that this setting must be used, and I get this 400 error if I forget it.
- [Django]-Data Mining in a Django/Postgres application
- [Django]-Error: No module named staticfiles
- [Django]-Celery missed heartbeat (on_node_lost)
in the settings.py of your project, check line 28, where is the Allows Host
ALLOWED_HOSTS = ['IP', 'servidor', ]
you must put the IP and the server you use, level local or web
ALLOWED_HOSTS = ['', 'localhost', 'www.ejemplo.com']
- [Django]-Login Page by using django forms
- [Django]-Django-taggit β how do I display the tags related to each record
- [Django]-Is this the right way to do dependency injection in Django?
I had the same problem and I fixed it by setting ALLOWED_HOSTS = ['*']
and to solve the problem with the static images you have to change the virtual paths in the environment configuration like this:
Virtual Path
/static/ /opt/python/current/app/yourpj/static/
/media/ /opt/python/current/app/Nuevo/media/
I hope it helps you.
PD: sorry for my bad english.
- [Django]-Django form fails validation on a unique field
- [Django]-Django 1.7 β App 'your_app_name' does not have migrations
- [Django]-Django 2 β How to register a user using email confirmation and CBVs?
With DEBUG = False
in you settings file, you also need ALLOWED_HOST list set up.
Try including ALLOWED_HOST = ['', 'localhost', 'www.yourdomain.com']
Otherwise you might receive a Bad Request(400) error from django.
- [Django]-Django select_for_update cannot be used outside of a transaction
- [Django]-Django custom field validator vs. clean
- [Django]-Serving Media files during deployment in django 1.8
For me as I have already xampp on and django on
and i kept trying adding hosts
ALLOWED_HOSTS = ['', 'localhost', 'www.yourdomain.com', '*', '']
and i got the same error or (400) bad request
so I change the url to used port)/project
and voila !
you have to check what is your virtual network address, for me as i use bitnami django stack 2.2.3-1 on Linux i can check which port django is using.
if you have an error ( 400 bad request ) then i guess django on different virtual network ..
good luck
- [Django]-Default value for user ForeignKey with Django admin
- [Django]-Can't compare naive and aware datetime.now() <= challenge.datetime_end
- [Django]-Django switching, for a block of code, switch the language so translations are done in one language
I had to stop the apache server first.
(f.e. sudo systemctl stop httpd.service
/ sudo systemctl disable httpd.service
That solved my problem besides editing the βsettings.py
β file
to ALLOWED_HOSTS = ['se.rv.er.ip', 'www.example.com']
- [Django]-Filtering using viewsets in django rest framework
- [Django]-Django render_to_string missing information
- [Django]-Cron and virtualenv
try manage.py collectstatic
I was missing a static file after an update, hence the bad request.
- [Django]-Factory-boy create a list of SubFactory for a Factory
- [Django]-Using JSON in django template
- [Django]-Do we need to upload virtual env on github too?
There are two other reasons I know (less frequent but still) that can cause 400 bad request:
- Nginx Doesnβt Pass $Host To Your Application
- Host Name Has Underscores
I outlined these examples here
- [Django]-ModuleNotFoundError: No module named 'grp' on windows
- [Django]-Django 2, python 3.4 cannot decode urlsafe_base64_decode(uidb64)
- [Django]-How does one make logging color in Django/Google App Engine?
Try to run your server with the --insecure
flag, just like this:
python manage.py runserver --insecure
- [Django]-How do I make many-to-many field optional in Django?
- [Django]-Celery. Decrease number of processes
- [Django]-Access web server on VirtualBox/Vagrant machine from host browser?