maya-chen/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

security docs for TRUSTED_HOSTS

Browse source
This commit is contained in:
David Lord 2025-08-18 11:42:48 -07:00
parent ff64079a51
commit b228ca3d87
No known key found for this signature in database
GPG key ID: 43368A7AA8CC5926
1 changed files with 21 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

21
docs/web-security.rst
View file

@ -269,6 +269,27 @@ values (or any values that need secure signatures).
.. _samesite_support: https://caniuse.com/#feat=same-site-cookie-attribute .. _samesite_support: https://caniuse.com/#feat=same-site-cookie-attribute
Host Header Validation
----------------------
The ``Host`` header is used by the client to indicate what host name the request
was made to. This is used, for example, by ``url_for(..., _external=True)`` to
generate full URLs, for use in email or other messages outside the browser
window.
By default the app doesn't know what host(s) it is allowed to be accessed
through, and assumes any host is valid. Although browsers do not allow setting
the ``Host`` header, requests made by attackers in other scenarios could set
the ``Host`` header to a value they want.
When deploying your application, set :data:`TRUSTED_HOSTS` to restrict what
values the ``Host`` header may be.
The ``Host`` header may be modified by proxies in between the client and your
application. See :doc:`deploying/proxy_fix` to tell your app which proxy values
to trust.
Copy/Paste to Terminal Copy/Paste to Terminal
---------------------- ----------------------