Heroku需要ALLOWED_HOSTS吗？ [英] Is ALLOWED_HOSTS needed on Heroku?

问题描述

据我所知，当 DEBUG = False 时， ALLOWED_HOSTS 会进行检查以防止攻击者指向他们自己域名到您的网站。

它看起来像Heroku的自定义域名做同样的事情。

因此，不要在您的帐户中添加必需的 ALLOWED_HOSTS 变量 app.json 用于 Heroku Button （因为它感觉多余并且在你急着时很容易出错），你可以设置 ALLOWED_HOSTS = ['*'] 并允许Heroku验证请求它们应该到达他们应该去的地方吗？

//devcenter.heroku.com/articles/getting-started-with-django#django-settingsrel =noreferrer>在Heroku上开始使用Django ：

settings.py

 ＃从$ DATABASE_URL解析数据库配置
 import dj_database_url 
 DATABASES ['default'] = dj_database_url.config（）
 
＃为request.is_secure（）赋予'X-Forwarded-Proto'标题
 SECURE_PROXY_SSL_HEADER =（'HTTP_X_FORWARDED_PROTO'，'https'）
 
＃允许所有主机头文件
 ALLOWED_HOSTS = ['*'] 
 
＃静态资产配置
 import os 
 BASE_DIR = os.path.dirname（os.path.abspath（__ file__））
 STATIC_ROOT ='staticfiles'
 STATIC_URL ='/ static /'
 
 STATICFILES_DIRS =（
 os.path.join（BASE_DIR，'static'），
）
  

From what I understand, ALLOWED_HOSTS does a check when DEBUG=False to prevent an attacker from pointing their own domain to your site.

It looks like Heroku's Custom Domains do the same thing.

So instead of adding a required ALLOWED_HOSTS variable in your app.json for the Heroku Button (since it feels redundant and is error-prone when you're in a hurry), can you set ALLOWED_HOSTS = ['*'] and allow Heroku to verify the requests are coming where they should instead?

解决方案

This is exactly what you are supposed to do, per Getting Started with Django on Heroku:

settings.py

# Parse database configuration from $DATABASE_URL
import dj_database_url
DATABASES['default'] =  dj_database_url.config()

# Honor the 'X-Forwarded-Proto' header for request.is_secure()
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

# Allow all host headers
ALLOWED_HOSTS = ['*']

# Static asset configuration
import os
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
STATIC_ROOT = 'staticfiles'
STATIC_URL = '/static/'

STATICFILES_DIRS = (
    os.path.join(BASE_DIR, 'static'),
)

这篇关于Heroku需要ALLOWED_HOSTS吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！