I'm trying fix a site vulnerability, it is "Improper Input Handling" attack raised by WhiteHat. Let's say my website is www.mywebsite.com and there is hacker's website www.hacker.com
whenever there is a request send to www.mywebsite.com with modified "Host" header point to www.hacker.com, my site will create a redirect to www.mywebsite.com along with whatever the url it was. To fix this I tried below tomcat virtual host configuration but still it's redirecting to other website.
<Host name="defaultlocalhost" appbase="whatever">
<!-- allow addresses to these host -->
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow=".*\.mywebsite1\.com|.*\.mywebsite2\.com"/>
</Host>
So, my question is, is it the right approach to prevent this host header attack ? If yes, what I did wrong that still not working? (The ultimate goal is, if it is not the legit Host that been passed in, the request should be discard/ignored/return 404 but not redirect with 302)