diff --git a/COPY/etc/httpd/conf.d/manageiq-host-config b/COPY/etc/httpd/conf.d/manageiq-host-config
new file mode 100644
index 0000000..4438494
--- /dev/null
+++ b/COPY/etc/httpd/conf.d/manageiq-host-config
@@ -0,0 +1,9 @@
+# Default config (insecure)
+ProxyPreserveHost on
+
+# To make the appliance more secure and prevent Host Header Injection attacks,
+# uncomment the following and change APPLIANCE_HOSTNAME to use the hostname
+# address that the appliance is running on.
+#
+# RequestHeader set Host APPLIANCE_HOSTNAME
+# RequestHeader set X-Forwarded-Host APPLIANCE_HOSTNAME
diff --git a/COPY/etc/httpd/conf.d/manageiq-http.conf b/COPY/etc/httpd/conf.d/manageiq-http.conf
index a2a87b6..4102c2a 100644
--- a/COPY/etc/httpd/conf.d/manageiq-http.conf
+++ b/COPY/etc/httpd/conf.d/manageiq-http.conf
@@ -19,7 +19,7 @@ RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
 #  Include conf.d/manageiq-redirects-api
 #  Include conf.d/manageiq-redirects-ui
 #  Include conf.d/manageiq-redirects-websocket
-#  ProxyPreserveHost on
+#  Include conf.d/manageiq-host-config
 #  <Location /assets/>
 #    Header unset ETag
 #    FileETag None
diff --git a/COPY/etc/httpd/conf.d/manageiq-https-application.conf b/COPY/etc/httpd/conf.d/manageiq-https-application.conf
index 43f7580..0f43faa 100644
--- a/COPY/etc/httpd/conf.d/manageiq-https-application.conf
+++ b/COPY/etc/httpd/conf.d/manageiq-https-application.conf
@@ -11,7 +11,7 @@ Include conf.d/manageiq-redirects-cockpit
 Include conf.d/manageiq-redirects-api
 Include conf.d/manageiq-redirects-ui
 Include conf.d/manageiq-redirects-websocket
-ProxyPreserveHost on
+Include conf.d/manageiq-host-config
 RequestHeader set X_FORWARDED_PROTO 'https'
 
 ErrorLog /var/www/miq/vmdb/log/apache/ssl_error.log