Is ALLOWED_HOSTS needed on Heroku?

Question

From what I understand, ALLOWED_HOSTS does a check when DEBUG=False to prevent an attacker from pointing their own domain to your site.

It

Answer 1

Note that Heroku removed ['*'] from the getting started guide in December 2017.

I recommend setting ALLOWED_HOSTS = ['.herokuapp.com'].

Even though Heroku's domain service is providing this protection, specifying the setting will be a reminder to update the configuration if moved to another hosting service.