diff --git a/swh/web/config.py b/swh/web/config.py
index eb3a68fa1..7a534e43c 100644
--- a/swh/web/config.py
+++ b/swh/web/config.py
@@ -1,54 +1,55 @@
 # Copyright (C) 2017  The Software Heritage developers
 # See the AUTHORS file at the top-level directory of this distribution
 # License: GNU General Public License version 3, or any later version
 # See top-level LICENSE file for more information
 
 from swh.core import config
 from swh.storage import get_storage
 
 DEFAULT_CONFIG = {
+    'allowed_hosts': ('list', []),
     'storage': ('dict', {
         'cls': 'remote',
         'args': {
             'url': 'http://127.0.0.1:5002/',
         },
     }),
     'log_dir': ('string', '/tmp/swh/log'),
     'debug': ('bool', False),
     'host': ('string', '127.0.0.1'),  # development property
     'port': ('int', 5003),            # development property
     'secret_key': ('string', 'development key'),
     'throttling': ('dict', {
         'cache_uri': None,  # production: memcached as cache (127.0.0.1:11211)
                             # development: in-memory cache so None
         'scopes': {
             'swh_api': {
                 'limiter_rate': '120/h',
                 'exempted_networks': ['127.0.0.0/8']
             }
         }
     })
 }
 
-swhweb_config = None
+swhweb_config = {}
 
 
 def get_config(config_file='webapp/webapp'):
     """Read the configuration file `config_file`, update the app with
        parameters (secret_key, conf) and return the parsed configuration as a
        dict. If no configuration file is provided, return a default
        configuration."""
 
-    global swhweb_config
     if not swhweb_config:
-        swhweb_config = config.load_named_config(config_file, DEFAULT_CONFIG)
+        cfg = config.load_named_config(config_file, DEFAULT_CONFIG)
+        swhweb_config.update(cfg)
         config.prepare_folders(swhweb_config, 'log_dir')
         swhweb_config['storage'] = get_storage(**swhweb_config['storage'])
     return swhweb_config
 
 
 def storage():
     """Return the current application's SWH storage.
 
     """
     return get_config()['storage']
diff --git a/swh/web/settings/common.py b/swh/web/settings/common.py
index 92abc276a..128a64bd8 100644
--- a/swh/web/settings/common.py
+++ b/swh/web/settings/common.py
@@ -1,193 +1,193 @@
 # Copyright (C) 2017  The Software Heritage developers
 # See the AUTHORS file at the top-level directory of this distribution
 # License: GNU General Public License version 3, or any later version
 # See top-level LICENSE file for more information
 
 
 """
 Django settings for swhweb project.
 
 Generated by 'django-admin startproject' using Django 1.11.3.
 
 For more information on this file, see
 https://docs.djangoproject.com/en/1.11/topics/settings/
 
 For the full list of settings and their values, see
 https://docs.djangoproject.com/en/1.11/ref/settings/
 """
 
 import os
 
 from swh.web.config import get_config
 
 swh_web_config = get_config()
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 PROJECT_DIR = os.path.dirname(os.path.abspath(__file__))
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
 SECRET_KEY = swh_web_config['secret_key']
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = swh_web_config['debug']
 DEBUG_PROPAGATE_EXCEPTIONS = swh_web_config['debug']
 
-ALLOWED_HOSTS = ['127.0.0.1', 'localhost']
+ALLOWED_HOSTS = ['127.0.0.1', 'localhost'] + swh_web_config['allowed_hosts']
 
 # Application definition
 
 INSTALLED_APPS = [
     'django.contrib.admin',
     'django.contrib.auth',
     'django.contrib.contenttypes',
     'django.contrib.sessions',
     'django.contrib.messages',
     'django.contrib.staticfiles',
     'rest_framework',
     'swh.web.api',
     'swh.web.browse'
 ]
 
 MIDDLEWARE = [
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 ]
 
 ROOT_URLCONF = 'swh.web.urls'
 
 TEMPLATES = [
     {
         'BACKEND': 'django.template.backends.django.DjangoTemplates',
         'DIRS': [os.path.join(PROJECT_DIR, "../templates")],
         'APP_DIRS': True,
         'OPTIONS': {
             'context_processors': [
                 'django.template.context_processors.debug',
                 'django.template.context_processors.request',
                 'django.contrib.auth.context_processors.auth',
                 'django.contrib.messages.context_processors.messages',
             ],
             'libraries': {
                 'swh_templatetags': 'swh.web.common.swh_templatetags',
             },
         },
     },
 ]
 
 TEMPLATE_DIRS = TEMPLATES[0]['DIRS']
 
 WSGI_APPLICATION = 'swh.web.wsgi.application'
 
 
 # Database
 # https://docs.djangoproject.com/en/1.11/ref/settings/#databases
 
 DATABASES = {
     'default': {
         'ENGINE': 'django.db.backends.sqlite3',
         'NAME': os.path.join(PROJECT_DIR, 'db.sqlite3'),
     }
 }
 
 # Password validation
 # https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators
 
 AUTH_PASSWORD_VALIDATORS = [
     {
         'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',  # noqa
     },
     {
         'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',  # noqa
     },
     {
         'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',  # noqa
     },
     {
         'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',  # noqa
     },
 ]
 
 
 # Internationalization
 # https://docs.djangoproject.com/en/1.11/topics/i18n/
 
 LANGUAGE_CODE = 'en-us'
 
 TIME_ZONE = 'UTC'
 
 USE_I18N = True
 
 USE_L10N = True
 
 USE_TZ = True
 
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/1.11/howto/static-files/
 
 STATIC_URL = '/static/'
 STATICFILES_DIRS = [
     os.path.join(PROJECT_DIR, "../static")
 ]
 
 INTERNAL_IPS = ['127.0.0.1']
 
 throttle_rates = {}
 
 throttling = swh_web_config['throttling']
 for limiter_scope, limiter_conf in throttling['scopes'].items():
     throttle_rates[limiter_scope] = limiter_conf['limiter_rate']
 
 REST_FRAMEWORK = {
     'DEFAULT_RENDERER_CLASSES': (
         'rest_framework.renderers.JSONRenderer',
         'swh.web.api.renderers.YAMLRenderer',
         'rest_framework.renderers.TemplateHTMLRenderer'
     ),
     'DEFAULT_THROTTLE_CLASSES': (
         'swh.web.common.throttling.SwhWebRateThrottle',
     ),
     'DEFAULT_THROTTLE_RATES': throttle_rates
 }
 
 LOGGING = {
     'version': 1,
     'disable_existing_loggers': False,
     'filters': {
         'require_debug_false': {
             '()': 'django.utils.log.RequireDebugFalse',
         },
         'require_debug_true': {
             '()': 'django.utils.log.RequireDebugTrue',
         },
     },
     'handlers': {
         'console': {
             'level': 'DEBUG',
             'filters': ['require_debug_true'],
             'class': 'logging.StreamHandler',
         },
         'file': {
             'level': 'INFO',
             'filters': ['require_debug_false'],
             'class': 'logging.FileHandler',
             'filename': os.path.join(swh_web_config['log_dir'], 'swh-web.log'),
         },
     },
     'loggers': {
         'django': {
             'handlers': ['console', 'file'],
             'level': 'DEBUG' if DEBUG else 'INFO',
             'propagate': True,
         }
     },
 }
 
 SILENCED_SYSTEM_CHECKS = ['1_7.W001', '1_8.W001']