Django devs, I've noticed that the new ALLOWED_HOSTS causes the site to return HTTP-500 errors whenever a user submits a request with an HTTP_HOST header that is not allowed. This is flooding my developers' inboxes with spurious error messages. The site is refusing the requests as expected, but it is doing so with a *server* error, when in fact the error is a problem with what the *clients* are doing. I'd like to start a discussion here before I create a bug report, but I believe this should instead be returning a 403 Forbidden response (based on my reading of http://httpstatus.es/403), or at least something in the 4xx (Client Error) range. This might be appropriate for other SuspiciousOperation exceptions as well, though it's probably worth discussing just how they are each handled.
In short, I think 500 makes it look like there's something wrong with the server, when in fact the response is being blocked because the server is doing the right thing. If there's some consensus that this would be a helpful enhancement, I'll write up a bug report and see if I can create a patch to accompany it. Otherwise, I'll try to fix it for my own use in a custom middleware. Cheers, Cliff -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/20140213122737.5a3e86c4%40gdoba.domain.local. For more options, visit https://groups.google.com/groups/opt_out.
