From what I understand, ALLOWED_HOSTS
does a check when DEBUG=False
to prevent an attacker from pointing their own domain to your site.
It looks like Heroku's Custom Domains do the same thing.
So instead of adding a required ALLOWED_HOSTS
variable in your app.json
for the Heroku Button (since it feels redundant and is error-prone when you're in a hurry), can you set ALLOWED_HOSTS = ['*']
and allow Heroku to verify the requests are coming where they should instead?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…