To frustrate host injection attacks, the Host header in each incoming request is checked against a list of expected host names.

Note: This topic applies to Horizon 8 versions 2306 and later, 2212.1 and later, 2209.1 and later, and 2111.2 and later.

In earlier releases of Horizon 8, this protection was deactivated by default. To manually deactivate Host Checking, add the entry allowUnexpectedHost=true to locked.properties.

The list of expected host names includes the External URL (also known as the Secure Tunnel External URL), therefore direct connections to that name, as well as connections through a gateway configured to forward to that name, require no further configuration.

For additional expected names, as well as how to extend the list to load balancers, non-rewriting gateways and alternative canonical names, see "Origin Checking" in Cross-Origin Resource Sharing.