HTTP_HOST Stripping via Firewalls and VPNs

I have an issue that’s presenting as a CORS-related issue from a frontend (React) making API calls to a backend (Django). However, looking at the logs, I’m seeing things like this:

django.core.exceptions.DisallowedHost: Invalid HTTP_HOST header: ‘123.456.789.101:8007’. You may need to add ‘123.456.789.101’ to ALLOWED_HOSTS.

The site works fine from my PC, several friends, and mobile devices, via my VPN, but fails to make API requests when behind certain firewalls (corporate) or via online VPN services that let one type in a website, visit it via an in-browser window (not naming names b/c that’s beside the point here).

What seems to be the issue is a security measure whereby the firewalls are stripping out the HTTP_HOST specified by the site and adding in the actual IP to avoid e.g. HTTP_HOST-based spoofing.

Is there any way(s) to address this that doesn’t involve assigning a static IP to my host and hard-coding that into the ALLOWED_HOSTS? For example, I like testing new apps on easy 1-click deploy type services like Digital Ocean, Railway, Netlify, etc. that are great but don’t always provide the option for a static IP (not focusing on a specific service here).

Am I stuck hoping my PaaS provider exposes instance IPs as environment variables?

Currently considering an API gateway mapped to a static IP as it seems the most flexible, but it’s often a bit overkill for small scale or small scope projects I work on.

  • This doesn’t seem related to CORS.

    – 

Leave a Comment