[eli]

I can't totally disagree, but "enforcing a whitelist on the server" is not exactly a tall order. It's the default for many installs and IMHO is already a clear best practice for a production web server. Having your site available under hostnames you didn't intend to make public is generally not a good idea -- it runs the risk of Google picking the wrong one as canonical for one thing.

[gojomo]

I agree, it's not a tall order on the webserver... but that means it's not a tall order in Django either... and Django devs may find it easier to do in Python/Django, compared to translating the Django admonitions into their various local server configurations.

Even if it's easy enough to do it elsewhere, if in practice it gets overlooked, and the risks of overlooking it are high, that would be a reason to make the lazy/common path the safest path.

[gojomo]

If it's not a tall order on the webserver, it's not a tall order in Django either... but Django devs may find it easier to do in Python/Django, compared to translating the Django admonitions into their various local server configurations.

And even if it's easy enough to do it elsewhere, if in practice it gets overlooked and the costs of overlooking it are high, that would be a good reason to make the lazy/common path the safest path.