[1.4.x] Note that ALLOWED_HOSTS default changes in Django 1.5.

2013-02-20 12:26:54 -07:00 · 2013-02-20 12:26:54 -07:00 · a57743c9ff
parent a6927d8219
commit a57743c9ff
1 changed files with 5 additions and 0 deletions
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@ -118,6 +118,11 @@ This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
 if your code accesses the ``Host`` header directly from ``request.META`` you
 are bypassing this security protection.

+The default value of this setting in Django 1.3.6+ is ``['*']`` (accept any
+host) in order to avoid breaking backwards-compatibility in a security update,
+but in Django 1.5+ the default is ``[]`` and explicitly configuring this
+setting is required.
+
 .. setting:: ALLOWED_INCLUDE_ROOTS

 ALLOWED_INCLUDE_ROOTS