66👍
If your ALLOWED_HOSTS
is set correctly, then it is possible someone is probing your site for the vulnerability by spoofing the header.
There is discussion right now by the Django developers to change this from a 500 internal server error to a 400 response. See this ticket.
155👍
If you’re using Nginx to forward requests to Django running on Gunicorn/Apache/uWSGI, you can use the following to block bad requests. Thanks to @PaulM for the suggestion.
upstream app_server {
server unix:/tmp/gunicorn_mydomain.example.sock fail_timeout=0;
}
server {
...
## Deny illegal Host headers
if ($host !~* ^(mydomain.example|www.mydomain.example)$ ) {
return 444;
}
location / {
proxy_pass http://app_server;
...
}
}
- [Django]-Where is my Django installation?
- [Django]-Unique fields that allow nulls in Django
- [Django]-How to produce a 303 Http Response in Django?
31👍
When using Nginx you could set up you servers in a way only requests to the hosts you want get to Django in the first place. That should give you no SuspiciousOperation errors anymore.
server {
# default server
listen 80;
server_name _ default;
return 444;
}
server {
# redirects
listen 80;
server_name example.com old.stuff.example.com;
return 301 http://www.example.com$request_uri;
}
server {
# app
listen 80;
server_name www.example.com; # only hosts in ALLOWED_HOSTS here
location / {
# ...
}
# ... your config/proxy stuff
}
- [Django]-Handle `post_save` signal in celery
- [Django]-How to make an auto-filled and auto-incrementing field in django admin
- [Django]-Django get the static files URL in view
16👍
This is fixed in newer versions of Django, but if you’re using an affected version (e.g. 1.5) you can add a filter to your logger handler to get rid of these, as outlined in this blog post.
Spoiler:
from django.core.exceptions import SuspiciousOperation
def skip_suspicious_operations(record):
if record.exc_info:
exc_value = record.exc_info[1]
if isinstance(exc_value, SuspiciousOperation):
return False
return True
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'filters': {
'require_debug_false': {
'()': 'django.utils.log.RequireDebugFalse',
},
# Define filter
'skip_suspicious_operations': {
'()': 'django.utils.log.CallbackFilter',
'callback': skip_suspicious_operations,
},
},
'handlers': {
'mail_admins': {
'level': 'ERROR',
# Add filter to list of filters
'filters': ['require_debug_false', 'skip_suspicious_operations'],
'class': 'django.utils.log.AdminEmailHandler'
}
},
'loggers': {
'django.request': {
'handlers': ['mail_admins'],
'level': 'ERROR',
'propagate': True,
},
}
}
- [Django]-'pip' is not recognized as an internal or external command
- [Django]-Filtering dropdown values in django admin
- [Django]-Switching to PostgreSQL fails loading datadump