The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost thatcatches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcardSERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directiveon. Consult references for detailed information.