The ALLOWED_HOSTS list should contain fully qualified host names, not urls. Leave out the port and the protocol. If you are using 127.0.0.1, I would add localhost to the list too:
ALLOWED_HOSTS = ['127.0.0.1', 'localhost']
You could also use * to match any host:
ALLOWED_HOSTS = ['*']
Quoting the documentation:
Values in this list can be fully qualified names (e.g.
'www.example.com'), in which case they will be matched against the request’sHostheader exactly (case-insensitive, not including port). A value beginning with a period can be used as a subdomain wildcard:'.example.com'will matchexample.com,www.example.com, and any other subdomain ofexample.com. A value of'*'will match anything; in this case you are responsible to provide your own validation of theHostheader (perhaps in a middleware; if so this middleware must be listed first inMIDDLEWARE_CLASSES).
Bold emphasis mine.
The status 400 response you get is due to a SuspiciousOperation exception being raised when your host header doesn’t match any values in that list.