Django REST api调用和allowed_hosts

Question

I'm trying to implement a RESTful API in Django such that any ip could query the endpoints. However, I'm concerned about header attacks if I were to set ALLOWED_HOSTS = ['*'] .

I read an answer to Why is Django throwing error "DisallowedHost at /"? which suggests that api calls should be responded to, not for by the server.

I don't full comprehend what they mean or how to implement it and am looking for suggestions.

Ultimately, I want to know how can I make an api call which is not blocked by django because it is not in ALLOWED_HOSTS?

Answer 1

ALLOWED_HOSTS has nothing to do with your API calls in any way. It's the list of hostnames your server should respond for, not to

Answer 2

The problem you are having is not anything to do with ALLOWED_HOSTS, and everything to do with CSRF protection. You have two options. You can disable cross site request forgery protection on the page by using either

@method_decorator(csrf_exempt, name=dispatch)

above your class in django >= 1.9, or decorating the dispatch method in previous versions of django, such as this:

class myView(View):
    @method_decorator(csrf_exempt)
    def dispatch(self, request, *args, **kwargs):
        return super(myView, self).dispatch(request, *args, **kwargs)

If you are concerned about who can gain access though, you will need to look into other authentication methods, such as token based authentication, so that only sites passing the proper token can get access.

Answer 3

ALLOWED_HOSTS are list of strings or regular expressions representing the host/domain names that this Django site can serve. You need to use Token, JWT or any other Authentication methods for preventing you APIs.