diff --git a/.env.example b/.env.example
index 8977349c5bd7350bea0b06af9904796f4ab29554..8384876b2c2f668ec20eee63486e21c0b7142b57 100644
--- a/.env.example
+++ b/.env.example
@@ -7,14 +7,16 @@ SECRET_KEY=put-something-awesomely-random-here
 # A comma-separated list of hostnames/IPs Django should listen to. For a
 # production setup this will be something like aura.example.org, for a dev
 # setup you might just use the default settings.
-# (default: 127.0.0.1, localhost)
+# Important: do not put spaces between commas and values!
+# (default: 127.0.0.1,localhost)
 #ALLOWED_HOSTS=
 
 # A comma-separated list of URIs where the webclients live that should be able
 # to access the steering API. In particular the dashboard. Might not be needed
 # in a production setup if steering and dashboard share the same domain. In
 # a dev setup the defaults might be just fine.
-# (default: http://127.0.0.1:8080, http://localhost:8080)
+# Important: do not put spaces between commas and values!
+# (default: http://127.0.0.1:8080,http://localhost:8080)
 #CORS_ORIGIN_WHITELIST=
 
 # The database settings.
diff --git a/steering/settings.py b/steering/settings.py
index 2f8817eb61b5cba59ed068c6d761d89912a25fdd..6d3390c4b590825329e6fc1eb2658a9c748311eb 100644
--- a/steering/settings.py
+++ b/steering/settings.py
@@ -30,7 +30,7 @@ ADMINS = ()
 MANAGERS = ADMINS
 
 # Must be set if DEBUG is False
-ALLOWED_HOSTS = env.list('HOSTNAMES', default=['127.0.0.1', 'localhost'])
+ALLOWED_HOSTS = env.list('ALLOWED_HOSTS', default=['127.0.0.1', 'localhost'])
 
 # Whitelist IPs that access the API
 CORS_ORIGIN_WHITELIST = env.list('CORS_ORIGIN_WHITELIST', default=(