Is 0.0.0.0 in Django ALLOWED_HOSTS a security risk?

Question

There's plenty of these questions based on configuration of Django's settings, but I'm asking from a security perspective--

Background: This is (obviously) a Django app which I am running inside a Docker container; gunicorn is running in that container and set to listen on port 8000 ( gunicorn my_app.wsgi:application --bind 0.0.0.0:8000 ). Nginx is public-facing (listening on 80) and running in a separate container. Nginx sends the requests to the Django container over the internal.network setup by docker-compose.

At the moment, I'm running this on a cloud machine with an ephemeral IP. I have added that to my ALLOWED_HOSTS so that it reads ALLOWED_HOSTS=['XX.XXX.XX.XX'] where xx.xxx.xx.xx is the actual IP. The application works.

My question: My application monitoring just informed me of an apparent error which read:

api_1    | 2020-07-29 16:50:24,498 django.security.DisallowedHost.response_for_exception ERROR    
Invalid HTTP_HOST header: '0.0.0.0:8000'. You may need to add '0.0.0.0' to ALLOWED_HOSTS.

This was not a request I made-- likely just some bot.

Should I actually add 0.0.0.0 to ALLOWED_HOSTS ? Or is that a security risk? Will that allow bogus requests through? What does 0.0.0.0 mean in the context of my Django application? If it should only get receiving requests sent by the nginx server, shouldn't those all have the xx.xxx.xx.xx IP as the host header?

I don't necessarily want all these bot/scanning requests to fill-up my application monitoring with junk and this does not seem to be a "real" error. My understanding of.networking is limited, so I apologize if this is a simple question.

Thanks!

Answer 1

I would only add the IP addresses or hosts that you know to be legitimate to ALLOWED_HOSTS. It is a setting to prevent bots from doing potential damage to your system.

In terms of filling up your application monitoring system, I would have a system that allows for ignoring these once you have reviewed them