Django 1.8.16 release notes

Django 1.8.16 fixes two security issues in 1.8.15.

This user is usually dropped after the test suite completes, but not when using the manage.py test --keepdb option or if the user has an active session (such as an attacker’s connection).

DNS rebinding vulnerability when DEBUG=True

Older versions of Django don’t validate the header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a .

is now validated regardless of DEBUG. For convenience, if ALLOWED_HOSTS is empty and DEBUG=True, the following variations of localhost are allowed . If your local settings file has your production ALLOWED_HOSTS value, you must now omit it to get those fallback values.