Will It Vibe logoWill It Vibe?
ENVCFG-009Medium severity-8 points

Wildcard ALLOWED_HOSTS

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

ALLOWED_HOSTS = "*" disables the Host header allowlist, so the app answers to any Host value. That enables Host-header poisoning of password-reset links, cache keys, and absolute URLs.

Why it matters

ALLOWED_HOSTS set to "*" removes the Host header allowlist, so the app answers to any Host value a client sends. That enables Host-header attacks: poisoned password-reset and absolute links that point at an attacker domain, and cache poisoning keyed on Host. The wildcard is convenient during setup and dangerous in production.

How to fix it

List the exact domains the app serves in ALLOWED_HOSTS (for example app.example.com and any needed subdomains), driven from an environment variable per environment. Avoid the bare wildcard; if you need subdomains, use a scoped pattern rather than "*". Confirm requests with an unexpected Host are rejected.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks