Applications were found to trust the user supplied host header without running any checks or verification process on it in HTTPD.

Product Version: 2.4

There are a couple of suggestions can be followed to mitigate this issue in HTTPD:

Use Canonical Hostnames: Use canonical hostnames instead of allowing users to supply their own host headers. This ensures that only authorized hosts are allowed to access the application.

If this is not possible, mod_rewrite can be used to validate that provided Host: header matches, as an example:

RewriteEngine on
RewriteCond %{HTTP_HOST} !^(www\.example\.com|example\.com)$ [NC]
RewriteRule ^(.*)$ http://www.example.com/error.html [L,R=301]

This example checks the provided Host header matches www.example.com and if it doesn’t, redirects to an error page.

In addition, it’s also a best practice to force HTTPS, this can also be done using mod_rewrite:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]