Unable to resolve "ALLOWED_HOSTS" error.

I've added '' inside ALLOWED_HOSTS list but I am still getting this error.

2013-07-22 14:10:17,145 :Internal Server Error: /favicon.ico
 Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/", line 89, in get_response
    response = middleware_method(request)
  File "/usr/local/lib/python2.7/dist-packages/django/middleware/", line 55, in process_request
    host = request.get_host()
  File "/usr/local/lib/python2.7/dist-packages/django/http/", line 179, in get_host
    "Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host)
SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS):

Any idea how to fix this?

Have you tried setting it to the accept all hosts ['*']. Obviously I wouldn't recommend this as a long term solution but this would at least tell you if the changes you are making to your settings are actually having some effect. Is it possible that you are defining ALLOWED_HOSTS twice?

['*'] is also not working, I am still getting the same error. I checked the file, ALLOWED_HOSTS is defined only once.

Hi monty,

Okay, it looks like Django refuses to validate a hostname that contains underscores. You'll either have to create a new PythonAnywhere account with a different username (try a hyphen "-") or use a different web framework.

To be fair, hostnames with underscores are not valid according to the RFCs. Of course, this only applies to hostnames - other DNS records can freely contain underscores, or indeed more or less any other character.

Given that usernames are always used as hostnames on PA (at least for free accounts) I wonder if it's worth barring underscores from names, or possibly transforming the username to a canonical version without underscores for the hostname (although you'd need to check for username conflicts based on the canonicalised version, of course). Although underscores will often work most of the time, they can lead to odd problems later - ignoring this Django issue, I believe IE9 has problems setting cookies on URLs including a hostname which isn't RFC-compliant.

Thanks @hansel, problem solved thanks to one of the pythonanywhere employee(or may be that was you).

How to resolve SuspiciousOperation: Invalid HTTP_HOST header error?

Just a correction here -- we actually disabled creation of accounts with underscores in the name sometime last summer for this reason. Looks like you (@monty_singh) signed up before we did that.

change ALLOWED_HOSTS = ('*') in

That's not ideal; firstly, setting it as you describe is incorrect because it would set ALLOWED_HOSTS to the string "*", because the brackets would just be treated as parentheses instead of creating a tuple. To create a tuple you'd do this (note the extra comma):


...or you could create a list like this:


However, even if you used that code, it's not something we'd recommend. Django's insistence that you specify a sequence of allowed hosts is a security feature and helps avoid some quite subtle problems. Setting ALLOWED_HOSTS to allow any host disables that. Much better to specify the proper hostname.

Thanks for the above suggestions. It worked for me :)

Excellent! Glad we could help :-)

Hi. I'm having the same issue. Even though I made the changes to the file, the settings listed on the page(my web app page) is still showing ALLOWED_HOSTS as empty. I did a push and confirmed on github that the changes have been made but still I'm getting disallowedhost error and the ALLOWED_HOSTS list is empty on that page.

Did you reload your web app on the Web App Configuration page after making the change?

Yes, I did. Multiple times. Still the same error. It should also reflect the changes on the web app page, right, where the settings are listed?

Can I take a look at your files? We can see them from our admin interface, but we always ask for permission first.

Has this issue been resolved? I'm trying to run a Django app and I'm facing the same issue. I've changed my ALLOWED_HOSTS as mentioned above, doesn't seem to help. My username has no underscores.

If ALLOWED_HOSTS is set correctly, then you won't get the error message. Make sure you've spelled everything correctly and that you've reloaded your web app since making the change.