As per the Whitehat Security report it says there is a vulnerability on Host or X-Forwarded-Host request headers on our site build using Kentico and hosted in Azure
How are we preventing this type of attacks in Azure (we have gateway and WAF in azure)
Kentico alone does not process host header at all, nor does use it in any way. This problem seems to steam with Azure configuration. In my experience I had met with this issue when I had set empty binding on IIS server and IIS accepted Host Header.
Azure seems to allow for empty host names (or wildcards due to multitenant set ups):
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview https://learn.microsoft.com/en-us/azure/application-gateway/multiple-site-overview
It could be these, that are reflecting host header and you will need to make sure, that gateway and application are set to proper host name and than host header will just be ignored.