Skip to content

docs: add warning and best practices for url_for(..., _external=True)… #5722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

docs: add warning and best practices for url_for(..., _external=True)… #5722

wants to merge 1 commit into from

Conversation

ranveer9
Copy link

Description of the Change

This pull request adds a warning and best practices to the Web Security documentation regarding the use of url_for(..., _external=True) without setting SERVER_NAME or trusted_hosts. The new section explains the risk of host header injection and provides recommendations for safer configuration. This aims to improve developer awareness and help prevent potential security vulnerabilities, as discussed in #5718.

How it Addresses the Issue

  • Documents the risk of host header injection when generating external URLs.
  • Recommends setting SERVER_NAME and using trusted_hosts.
  • References the ProxyFix documentation for further guidance.

Relevant Issue
fixes #5718

@BrookeYangRui
Copy link

Thanks for working on this! I really appreciate how clearly the risks and recommendations were described.

This patch aligns well with the concerns I originally raised in issue #5718, glad to see it resolved!

@davidism davidism mentioned this pull request Jun 3, 2025
Closed
@pallets pallets deleted a comment from Viosassin Aug 12, 2025
davidism
davidism reviewed Aug 18, 2025
View reviewed changes
docs/web-security.rst
---------------------------------------

When generating external URLs using :func:`url_for` with the ``_external=True`` argument,
Flask constructs the URL using the requeust's ``Host`` header by default. If your application
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It always uses the Host header, not only by default. That's why the config needs to be set.

docs/web-security.rst
**Best Practices:**

- Always set :data:`SERVER_NAME` in your configuration for production deployments.
- Consider using :data:`trusted_hosts` to restrict which hosts are accepted.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Request.trusted_hosts attribute on the individual request is not the correct place to start. Instead, use the global TRUSTED_HOSTS config. The attribute is used to modify that per-request.

docs/web-security.rst
**Best Practices:**

- Always set :data:`SERVER_NAME` in your configuration for production deployments.
- Consider using :data:`trusted_hosts` to restrict which hosts are accepted.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't "consider" using it, do use it, it's the only thing that actually protects from the issue.

docs/web-security.rst
critical when generating links for password resets or other sensitive actions that may be
sent to users.

.. warning::
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the same statement as the previous paragraph, just restated in a warning block and bold now.

docs/web-security.rst

**Best Practices:**

- Always set :data:`SERVER_NAME` in your configuration for production deployments.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SERVER_NAME is only used outside of requests, where the injection isn't relevant because there's not request or Host header anyway.

docs/web-security.rst

When generating external URLs using :func:`url_for` with the ``_external=True`` argument,
Flask constructs the URL using the requeust's ``Host`` header by default. If your application
does not explicitly set the :data:`SERVER_NAME` configuration or use :data:`trusted_hosts`,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both of these are wrong, see further on.

@davidism
Copy link
Member

Heads up, all this information is wrong in various ways. Do not use AI, especially in regards to information about security.

@davidism davidism closed this Aug 18, 2025
@davidism
Copy link
Member

#5798

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 2, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@davidism davidism davidism left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Recommend Warning and Safer Defaults for url_for(..., _external=True)
3 participants
@ranveer9 @BrookeYangRui @davidism