Django team considers host header poisoning (CVE-2011-4139 and CVE-2012-4520) as a security issue that must be resolved at a framework level. Pyramid, for instance (that is, its underlying low-level request wrapper—webob) does not consider this as an issue.
On production & development machines I have nginx which seems to pass correct SERVER_NAME even if Host header contains complete garbage, and responds with 444 No response if there is no matching server_name.
Question: should I worry about Host header poisoning in such case, if I use SERVER_NAME to build absolute URLs?
If you use nginx to sanitize the HTTP_HOST and SERVER_NAME fields, you are doing the right thing and do not need to worry about Host header poisining.
Like Django, Pyramid considers a large part of this the task of the WSGI host environment. And nginx does an excellent, battle-hardened job of sanitizing the HTTP request information.