Wildcard ALLOWED_HOSTS enables host header injection attacks

ALLOWED_HOSTS is set to ["*"] (wildcard), accepting requests with any Host header. This can enable host header injection and cache poisoning attacks in certain proxy configurations.

Set ALLOWED_HOSTS to explicit list of valid domains. Use environment variable: ALLOWED_HOSTS = [h.strip() for h in os.getenv("DJANGO_ALLOWED_HOSTS", "").split(",") if h.strip()]. Add validation: if not ALLOWED_HOSTS and not DEBUG: raise RuntimeError("DJANGO_ALLOWED_HOSTS must be set in production").