In order to provide security from the host header attack, TDV provides a configuration option that users can tune. Navigate to the property Server-> Configuration-> Security-> Allowed Hosts. Sites mentioned in this list determines the allowed host/domain names.

A fake Host value in incoming HTTP request headers can be used for Cross-Site Request Forgery, cache poisoning attacks, and poisoning links in emails. This configuration determines the allowed host/domain names.

Values in this list can be fully qualified names (e.g. 'www.example.com'), in which case they will be matched against the request's Host header exactly (case-insensitive, not including port). A value beginning with a period can be used as a subdomain wildcard: '.example.com' will match example.com, www.example.com, and any other subdomain of example.com.

Default value is empty which means the Host header is not validated.

Changing this value will have no effect until the next server restart.