Fixed #24966 -- Added deployment system check for empty ALLOWED_HOSTS.

django/core/checks/security/base.py

@@ -95,6 +95,11 @@ W019 = Warning(
     id='security.W019',
 )
 
+W020 = Warning(
+    "ALLOWED_HOSTS must not be empty in deployment.",
+    id='security.W020',
+)
+
 
 def _security_middleware():
     return "django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE_CLASSES
@@ -182,3 +187,8 @@ def check_xframe_deny(app_configs, **kwargs):
         settings.X_FRAME_OPTIONS == 'DENY'
     )
     return [] if passed_check else [W019]
+
+
+@register(Tags.security, deploy=True)
+def check_allowed_hosts(app_configs, **kwargs):
+    return [] if settings.ALLOWED_HOSTS else [W020]

docs/ref/checks.txt

@@ -476,6 +476,7 @@ of the :djadmin:`check` command:
   ``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason
   for your site to serve other parts of itself in a frame, you should change
   it to ``'DENY'``.
+* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
 
 Sites
 -----

tests/check_framework/test_security.py

@@ -482,3 +482,18 @@ class CheckDebugTest(SimpleTestCase):
     @override_settings(DEBUG=False)
     def test_debug_false(self):
         self.assertEqual(self.func(None), [])
+
+
+class CheckAllowedHostsTest(SimpleTestCase):
+    @property
+    def func(self):
+        from django.core.checks.security.base import check_allowed_hosts
+        return check_allowed_hosts
+
+    @override_settings(ALLOWED_HOSTS=[])
+    def test_allowed_hosts_empty(self):
+        self.assertEqual(self.func(None), [base.W020])
+
+    @override_settings(ALLOWED_HOSTS=['.example.com', ])
+    def test_allowed_hosts_set(self):
+        self.assertEqual(self.func(None), [])