Skip to content

Security Best Practice

Jump to bottom
Itzbenz edited this page Dec 1, 2022 · 3 revisions

ALLOW_ALL_HOST

  • Never use this in production without isolated network
  • or this happened

image

(Un)Isolated Private Network

  • Imagine attacker request http://supersecretserver.local/nuclear.php this server is not exposed to internet, but thanks to your effort the attacker able to tunnel with this API
  • Innocent example https://example.com/api/v3/classification/http://192.168.1.39/img/module_table_top.png

Solution

  • Specify ALLOWED_HOST manually
  • Blacklist server using BLOCKED_HOST
  • Or if you want to use ALLOW_ALL_HOST just firewall and isolate your app

Sponsored by: PCAS, KGB, Joe Bidden, Elongated Musk, The Mossad, Malaysian Government, AWS, Three Letter Agencies

Clone this wiki locally