Friday, May 24, 2013

Fix for SuspiciousOperation: Invalid HTTP_HOST header

With Django 1.5, HTTP_HOST header filter is applied to the requests.  If the HTTP_HOST header is not among the ALLOWED_HOSTS list in the, an error is raised, saying this is a suspicious operation.

Let me give an example. Someone (who is not Google), is trying to reach my IP address with the HTTP_HOST as if I'm hosting the homepage.:

SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS):

This happens frequently, leading to emails sent to the admins which is annoying. To overcome this, you can add the IP Address of the requester to /etc/hosts.deny file.

Indeed I thought I could put a hostname filter in nginx configuration, especially in the listen part but my configuration did not have an effect.

The attacker tries to exploit a vulnerability and performs a scan over the web. They seem to be from Vietnam.

No comments: