Defend against 'Host' header injection in Apache
The changes introduced to the nginx configuration in Release 8.10 should be translated to the apache config examples. (gitlab-org/gitlab-ce!5213)
I added something like this to my config, but maybe i should also add ProxyAddHeaders Off
RequestHeader set Host 'YOUR_SERVER_FQDN'
RequestHeader unset X-Forwarded-Host
Apache config syntax: ProxyAddHeaders RequestHeader
In my case Host header injection should not be possible regardless because I'm running multiple VirtualHosts in apache and gitlab isn't the default / catchall host. In my case the VirtualHost would only catch Requests to the host defined in 'ServerName'.