From 4ca770da28ca65fb0a4ef9de626e8dca961c313c Mon Sep 17 00:00:00 2001
From: Klaas van Schelven <klaas@vanschelven.com>
Date: Tue, 8 Jul 2025 17:36:01 +0200
Subject: [PATCH] Skip ALLOWED_HOSTS validation for /health/ endpoints

Health checks are often done directly against an IP address rather than using a
full hostname. This is annoying to set up if the IP address can be one from a
large range.

The things that ALLOWED_HOSTS defend against don't really apply for health
endpoints, so better not have the check.

Fix #140
---
 bugsink/wsgi.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/bugsink/wsgi.py b/bugsink/wsgi.py
index 65d3892..243b411 100644
--- a/bugsink/wsgi.py
+++ b/bugsink/wsgi.py
@@ -19,9 +19,10 @@ os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'bugsink_conf')
 
 class CustomWSGIRequest(WSGIRequest):
     """
-    Custom WSQIRequest subclass with 2 fixes:
+    Custom WSQIRequest subclass with 3 fixes/changes:
 
     * Chunked Transfer Encoding (Django's behavior is broken)
+    * Skip ALLOWED_HOSTS validation for /health/ endpoints (see #140)
     * Better error message for disallowed hosts
 
     Note: used in all servers (in gunicorn through wsgi.py; in Django's runserver through WSGI_APPLICATION)
@@ -56,6 +57,10 @@ class CustomWSGIRequest(WSGIRequest):
         try:
             return super().get_host()
         except DisallowedHost as e:
+            if self.path.startswith == "/health/":
+                # For /health/ endpoints, we skip the ALLOWED_HOSTS validation (see #140).
+                return self._get_raw_host()
+
             message = str(e)
 
             if "ALLOWED_HOSTS" in message: