I used to leave ALLOWED_HOSTS = [] when going with some hostname other than localhost or 127.0.0.1 with no problems, today I encountered this error:
Invalid HTTP_HOST header asking me to add the hostname to ALLOWED_HOSTS, even when I commented out the other hostnames from /etc/hosts.
I tried the other projects, it worked with the same settings.
Why is it happening now? What's the use of ALLOWED_HOSTS? And why did it work without filling it before?
Recently, Django released 1.10.3, 1.9.11 and 1.8.16 to fix security issues.
Following those releases, Django will check settings.ALLOWED_HOSTS even when settings.DEBUG=True. This protects against a DNS rebinding attack.
If ALLOWED_HOSTS is empty, then Django will use ['localhost', '127.0.0.1', '::1']. However, if you use any other host, you will now need to add it to ALLOWED_HOSTS, even when DEBUG is True