2👍
✅
Recently, Django released 1.10.3, 1.9.11 and 1.8.16 to fix security issues.
Following those releases, Django will check settings.ALLOWED_HOSTS even when settings.DEBUG=True. This protects against a DNS rebinding attack.
If ALLOWED_HOSTS is empty, then Django will use ['localhost', '127.0.0.1', '::1']. However, if you use any other host, you will now need to add it to ALLOWED_HOSTS, even when DEBUG is True
Source:stackexchange.com