python - Is ALLOWED_HOSTS needed on Heroku?

Question

From what I understand, ALLOWED_HOSTS does a check when DEBUG=False to prevent an attacker from pointing their own domain to your site.

It looks like Heroku's Custom Domains do the same thing.

So instead of adding a required ALLOWED_HOSTS variable in your app.json for the Heroku Button (since it feels redundant and is error-prone when you're in a hurry), can you set ALLOWED_HOSTS = ['*'] and allow Heroku to verify the requests are coming where they should instead?

Answer 1

Note that Heroku removed ['*'] from the getting started guide in December 2017.

I recommend setting ALLOWED_HOSTS = ['.herokuapp.com'].

Even though Heroku's domain service is providing this protection, specifying the setting will be a reminder to update the configuration if moved to another hosting service.