improved allowed hosts docs, default config and added a system warning

.env.template

@@ -6,6 +6,9 @@
 # random secret key, use for example `base64 /dev/urandom | head -c50` to generate one
 SECRET_KEY=
 
+# allowed hosts (see documentation), should be set to your hostname(s) but might be * (default) for some proxies/providers
+# ALLOWED_HOSTS=recipes.mydomain.com
+
 # add only a database password if you want to run with the default postgres, otherwise change settings accordingly
 DB_ENGINE=django.db.backends.postgresql
 POSTGRES_HOST=db_recipes

cookbook/templates/system.html

@@ -83,6 +83,17 @@
         {% trans 'Everything is fine!' %}
     {% endif %}
     
+    <h4 class="mt-3">{% trans 'Allowed Hosts' %} <span
+            class="badge badge-{% if '*' in allowed_hosts  %}warning{% else %}success{% endif %}">{% if '*' in allowed_hosts %}
+        {% trans 'Warning' %}{% else %}{% trans 'Ok' %}{% endif %}</span></h4>
+    {% if debug %}
+        {% blocktrans %}
+            Your allowed hosts are configured to allow every host. This might be ok in some setups but should be avoided. Please see the docs about this.
+        {% endblocktrans %}
+    {% else %}
+        {% trans 'Everything is fine!' %}
+    {% endif %}
+
     <h4 class="mt-3">{% trans 'Database' %}
         <span class="badge badge-{{ postgres_status }}">
             {% if postgres_status == 'warning' %}

cookbook/views/views.py

@@ -348,7 +348,7 @@ def system(request):
         request, 'system.html', {
             'gunicorn_media': settings.GUNICORN_MEDIA, 'debug': settings.DEBUG, 'postgres': postgres, 'postgres_version': postgres_ver, 'postgres_status': database_status,
             'postgres_message': database_message, 'version_info': VERSION_INFO, 'plugins': PLUGINS, 'secret_key': secret_key, 'orphans': orphans, 'migration_info': migration_info,
-            'missing_migration': missing_migration,
+            'missing_migration': missing_migration, 'allowed_hosts': settings.ALLOWED_HOSTS,
         })
 
 

docs/system/configuration.md

@@ -27,6 +27,18 @@ SECRET_KEY_FILE=/path/to/file.txt
 #$tp%v6*(*ba01wcz(ip(i5vfz8z$f%qdio&q@anr1#$=%(m4c
 ```
 
+#### Allowed Hosts
+
+> default `*` - options: `recipes.mydomain.com,cooking.mydomain.com,...` (comma seperated domain/ip list)
+
+Security setting to prevent HTTP Host Header Attacks,
+see [Django docs](https://docs.djangoproject.com/en/5.0/ref/settings/#allowed-hosts).
+Some proxies require `*` (default) but it should be set to the actual host(s).
+
+```
+ALLOWED_HOSTS=recipes.mydomain.com
+```
+
 ### Database
 
 Multiple parameters are required to configure the database.
@@ -92,17 +104,6 @@ Port for gunicorn to bind to. Should not be changed if using docker stack with r
 TANDOOR_PORT=8080
 ```
 
-#### Allowed Hosts
-
-> default `*` - options: `recipes.mydomain.com,cooking.mydomain.com,...` (comma seperated domain/ip list)
-
-Security setting to prevent HTTP Host Header Attacks,
-see [Django docs](https://docs.djangoproject.com/en/5.0/ref/settings/#allowed-hosts).
-Many reverse proxies handle this and require the setting to be `*` (default).
-
-```
-ALLOWED_HOSTS=recipes.mydomain.com
-```
 
 #### URL Path