No, it shouldn’t
By default, there are no reasons why IP address should be accepted as a valid HOST header. This message is a sign of a misconfigured production environment: such requests shouldn’t reach the back-end.
Here’s a post on security.stackexchange.com on Host header poisoning & ALLOWED_HOSTS.
What to do
Filter out all requests with an invalid HOST header before they reach django back-end.
How to
Most likely you’re using nginx as a reverse proxy in front of django. If you don’t use any reverse proxy at all (or you’re using runserver), you have to (otherwise you’re risking your security).
Add a default server block returning 444 at the top of your configuration. It should be the first server block in the configuration:
# File: /etc/nginx/sites-available/domain.com
upstream django_server {
server 127.0.0.1:8000;
}
# Catch all requests with an invalid HOST header
server {
server_name "";
listen 80;
return 444;
}
# Your config goes there
server {
server_name domain.com;
listen 80;
location / {
proxy_pass http://django_server;
}
}