{"id":5183,"library":"django-allow-cidr","title":"Django Allow CIDR","description":"django-allow-cidr is a Django Middleware that extends the functionality of Django's `ALLOWED_HOSTS` setting to support CIDR IP ranges. It allows developers to specify IP networks (e.g., '192.168.1.0/24') alongside regular hostnames, which is particularly useful for health checks or internal network access. The current version is 0.8.0, with releases occurring periodically to support new Django and Python versions.","status":"active","version":"0.8.0","language":"en","source_language":"en","source_url":"https://github.com/mozmeao/django-allow-cidr","tags":["django","middleware","security","ip","cidr","allowed_hosts","network"],"install":[{"cmd":"pip install django-allow-cidr","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Core framework dependency.","package":"Django","optional":false},{"reason":"Used for IP address and network manipulation; included in Python's standard library since 3.3.","package":"ipaddress","optional":false}],"imports":[{"symbol":"AllowCIDRMiddleware","correct":"from allow_cidr.middleware import AllowCIDRMiddleware"}],"quickstart":{"code":"import os\n\nSECRET_KEY = os.environ.get('DJANGO_SECRET_KEY', 'a-very-secret-key-for-development')\nDEBUG = True\n\nALLOWED_HOSTS = [\n    'localhost',\n    '127.0.0.1',\n    # Other hostnames will still work\n]\n\n# Define CIDR ranges for allowed hosts\nALLOWED_CIDR_NETS = [\n    '192.168.1.0/24',\n    '10.0.0.0/8',\n    '::1/128' # IPv6 example\n]\n\nMIDDLEWARE = [\n    'allow_cidr.middleware.AllowCIDRMiddleware',\n    'django.middleware.security.SecurityMiddleware',\n    'django.contrib.sessions.middleware.SessionMiddleware',\n    'django.middleware.common.CommonMiddleware',\n    'django.middleware.csrf.CsrfViewMiddleware',\n    'django.contrib.auth.middleware.AuthenticationMiddleware',\n    'django.contrib.messages.middleware.MessageMiddleware',\n    'django.middleware.clickjacking.XFrameOptionsMiddleware',\n]","lang":"python","description":"To use django-allow-cidr, install it via pip and then add `AllowCIDRMiddleware` to the very beginning of your `MIDDLEWARE` settings. Define your allowed CIDR ranges in the `ALLOWED_CIDR_NETS` setting in your `settings.py`. Note that if `ALLOWED_CIDR_NETS` is defined, the middleware will internally set `ALLOWED_HOSTS` to `['*']` and take over host header validation."},"warnings":[{"fix":"Upgrade to Python 3.9+ and Django 4.1+ before upgrading django-allow-cidr to 0.8.0.","message":"Version 0.8.0 dropped support for Python versions older than 3.9 and Django versions earlier than 4.1.","severity":"breaking","affected_versions":"<0.8.0"},{"fix":"Ensure your project runs on Python 3.7 or newer before upgrading to django-allow-cidr 0.6.0+.","message":"Version 0.6.0 dropped support for Python 3.6. Users on Python 3.6 must upgrade their Python version before updating to 0.6.0 or newer.","severity":"breaking","affected_versions":"<0.6.0"},{"fix":"Always place `'allow_cidr.middleware.AllowCIDRMiddleware'` at the very top of your `MIDDLEWARE` setting.","message":"The `AllowCIDRMiddleware` *must* be the first middleware in your `MIDDLEWARE` tuple/list. Incorrect placement may lead to Django's built-in `HostHeader` validation rejecting requests before `django-allow-cidr` can process them.","severity":"gotcha","affected_versions":"All"},{"fix":"Configure `ALLOWED_HOSTS` and `ALLOWED_CIDR_NETS` as usual. Be aware that `ALLOWED_HOSTS = ['*']` becomes the effective Django setting at runtime when `ALLOWED_CIDR_NETS` is in use, with `django-allow-cidr` enforcing the actual host restrictions.","message":"If `ALLOWED_CIDR_NETS` is defined and has values, `django-allow-cidr` will internally set Django's `ALLOWED_HOSTS` to `['*']` and handle host header validation itself. While other `ALLOWED_HOSTS` entries will still be considered by the middleware, this internal change is important to understand for debugging.","severity":"gotcha","affected_versions":"All"},{"fix":"Ensure your environment is running Python 3.3+ (where `ipaddress` was introduced). No action is typically needed unless you had specific `netaddr` version requirements that are no longer met.","message":"Prior to version 0.5.0, `django-allow-cidr` depended on the `netaddr` library. Version 0.5.0 replaced this dependency with Python 3's built-in `ipaddress` module. While not directly breaking for most users, those relying on `netaddr` being pulled in as a transitive dependency should be aware of this change.","severity":"deprecated","affected_versions":"<0.5.0"}],"env_vars":null,"last_verified":"2026-04-13T00:00:00.000Z","next_check":"2026-07-12T00:00:00.000Z"}