From 16c4afdce5c90fe34c920f746da2ff67b1359181 Mon Sep 17 00:00:00 2001
From: saani <saani@BlackBusinessLabs.com>
Date: Mon, 24 Nov 2025 13:36:11 +0000
Subject: [PATCH] config: make ALLOWED_HOSTS configurable via environment
 variable

Change ALLOWED_HOSTS from a hardcoded list to be read from environment
variable with comma-separated values support. Maintains '*' as default
fallback for backward compatibility. This allows more restrictive host
configuration in production environments while improving security posture.
---
 booking_system/settings.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/booking_system/settings.py b/booking_system/settings.py
index 75fd018..66473a9 100644
--- a/booking_system/settings.py
+++ b/booking_system/settings.py
@@ -12,7 +12,10 @@ SECRET_KEY = os.getenv('JWT_SECRET', 'django-insecure-fallback-secret-key')
 
 DEBUG = os.getenv('DEBUG')
 
-ALLOWED_HOSTS = ["*"]
+ALLOWED_HOSTS = os.getenv(
+    'ALLOWED_HOSTS', 
+    '*'
+).split(',')
 
 CORS_ALLOWED_ORIGINS = os.getenv(
     'CORS_ALLOWED_ORIGINS',