Is my domains middleware safe?

Using Django Getting Started
1

Hello there,

I’m currently working on a Django project that allows our users to create their own websites. One of the main features I’ve been working with is setting up custom domain capabilities.

Here’s what I did:

I initially set the ALLOW_HOST setting to [*], then I’ve since devised a middleware to manage domain routing:

First, it checks whether the host (using request.get_host()) corresponds to www.domain.com. If so, the middleware directs the request to the homepage application using the request.urlconf attribute.

Next stop is checking if the host matches dash.domain.com. If it does, voila! The request gets routed to the dash app.

And here’s where it gets interesting. If neither of the above conditions is met, the middleware dives into the database to see if the host matches any of the registered site domains. If it finds a match, it redirects to the sites app with all the site-specific info. If not, it gracefully returns a 404 error.

I’ve been thinking about the safety aspects of this configuration since ALLOW_HOST setting is [*], and I’d like your opinion. Do you think this approach is safe enough?

2

The Host header validation docs identify what the potential risks are that are protected by this header.

So, the potential issue that I see with what you’ve created is that you’ve created the possibility that a user on domain “A” creates, or leaves themselves vulnerable to, an exploit that targets domain “B”, where both domain “A” and “B” are managed within your environment.

In this situation, your ALLOWED_HOSTS middleware isn’t going to do anything to help protect domain “B”.

3

What do you mean by “creates, or leaves themselves vulnerable”? Do you have a example?

4

Not specifically. (While I understand many of the principles involved in these topics, I’m not a web-security specialist and do not keep a library of exploits suitable for testing applications.)

If the particulars of the vulnerablities that are protected by the ALLOWED_HOSTS settings as listed in those docs are of interest to you, I’d suggest you do your own research into those areas. It’s a lot deeper topic than what would be practical as a forum answer.