I am getting Error DisallowedHost at /
Invalid HTTP_HOST header: `'subdomain.example.com'`. You may need to add 'subdomain.example.com' to ALLOWED_HOSTS.
in my Django project which is deployed on IIS Windows server. Sometimes it works fine and sometimes it throws an error. Even I have set DEBUG = False. I got an error page as it appears in DEBUG = True mode.
Sometimes It works fine, and sometimes it throws an error. I have already added my subdomain i .e (subdomain.example.com) in ALLOWED HOSTS in settings.py.
Please help me to solve this problem permanently.
You need to set
ALLOWED_HOSTS = ['localhost', '127.0.0.1', 'yourdomain.com']
in the settings file, basically every domain you are going to run your web app from needs to be in this ALLOWED_HOSTS, I would suggest you to make a different settings file for development, production etc.
Related
I a making a web application with a session cookie log in system. When using the cookies they expire within seconds, logging the user out of any service they were in. When I open my app I occasionaly get a warning in the terminal that states UserWarning: The session cookie domain is an IP address. This may not work as intended in some browsers. Add an entry to your hosts file, for example "localhost.localdomain", and use that instead. I'm hosting this app on Heroku so I don't think editing my local file would help, but if theres a way to get this to be solved on Heroku that would be great. Another error message I get comes from the console in the website itself, which reads:
Cookie “session” will be soon rejected because it has the “SameSite” attribute set to “None”
or an invalid value, without the “secure” attribute. To know more about the “SameSite“
attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
I set the Session cookie in my web application to:
app.config["SESSION_FILE_DIR"] = tempfile.mkdtemp()
app.config["SESSION_PERMANENT"] = False
app.config["SESSION_TYPE"] = "filesystem"
app.config["SESSION_COOKIE_SECURE"] = True
app.config["SESSION_COOKIE_SAMESITE"] = "None"
Session(app)
But this didn't solve my problem and both errors keep coming up. If there's any way to manually set SameSite and Secure that would be fantastic. Getting a https connection on Heroku did not work, I don't know why this is happening and it breaks the site, if there's any advice anyone has that would be greatly appreciated!
You need to use a domain name to access the service (https://domain.xxx/) and not the IP-address (https://123.123.123.213).
To avoid a lot of pain and errors, you should aim to use HTTPS, especially if you want cookies to work properly. Both the Secure and SameSite attributes requires HTTPS to work properly in most cases. And to get HTTPS to work you need a domain name and a proper certificate.
I added the setting
SECURE_SSL_REDIRECT = True
to my django settings.py. It works perfectly in production mode so no issues there however, now if I make it the following to test in development mode
SECURE_SSL_REDIRECT = False
I get the following error
You're accessing the development server over HTTPS, but it only supports HTTP.
What could the issue be? Seems like something is making it not register the new value.
Clearing browser cache helps.You can do that in the browser settings.
If I set ALLOWED_HOSTS = ['*'] I am able to make a succesfull call, however this seems dangerous and counterintuitive.
When I set ALLOWED_HOSTS to the recommended string, it fails. How to fix this?
Since you've tagged your post with AWS, I assume the host in question is an AWS EC2 instance. If so, try put in your EC2 private IP or your full domain instead, like:
['ip-XX-XX-XX-XX.XX-XXX-X.compute.internal']
OR
['.yourdomain.com']
The preceding . in your domain name represents a wildcard, as described in Django's docs
I encountered this and found the reason. There were 2 different tabs which were running server. For test reasons I just started server in another tab. Django doesn't warn in the second tab. So your requests are most probably falling to the another tab running the server.
I am trying to make sure that my site is properly protected from showing the details of the error in production.
I've been struggling with this for a while, as at beginning I understood that in order to avoid Django from showing the error (module, line of code, etc.) all that was needed was changing DEBUG from True to False in settings.py.
However, I realized that Django was still showing error details, so investigating a bit more and I came to know that the following was also needed:
TEMPLATE_DEBUG = DEBUG in settings.py
404.html and 500.htmlinside the templates folder
Is there anything else needed to make sure that the user does not get those messages?
And how does Django deal with the other kind of errors, like 400? I saw here that there are handlers for 400 and 403, but I do not understand it and I don't know if they are needed at all for a basic using case.
If DEBUG is False, Django doesn't show error details to the user. If it did in your case, the most likely explanations are either that it's not using the settings.py file you think it's using (in which case you should check the Python path, the directory from which you run manage.py, and the value of DJANGO_SETTINGS_MODULE), or that you did not restart Gunicorn/uWSGI/Apache after you made the change to settings.py (Django does not restart itself automatically in production like it does in development).
As for 400 and 403, just leave the Django defaults. If Django receives a bad request (unlikely in production, because this will usually be caught by Apache or nginx), it will call bad_request() which will just show a "400 bad request" to the user. Likewise for other errors.
I went into settings.py in the Django Framework for my site because I had run into a 500 Internal Server Error. I'd heard that this happens when DEBUG = False, however, my DEBUG is set to True and it still does not give me anything more specific than a 500 Internal Server Error.
My site was running perfectly fine and all of a sudden this error occurred...any thoughts?? I checked my wsgi link and nothing had changed there as well!