ALLOWED_HOSTS as in docs is quite self explanatory
A list of strings representing the host/domain names that this Django site can serve. This is a security measure to prevent HTTP Host header attacks, which are possible even under many seemingly-safe web server configurations
This variable expects a third party package django-cors-headers. If a browser starts a request through JS to another domain, it will send an OPTIONS request to know if the server is letting the domain accept request by checking Access-Control-Allow-Origin header. There are some other headers also using this like Access-Control-Allow-Headers , etc.