diff --git a/Gemfile b/Gemfile
index 751f733bb0b..d694ca787f6 100644
--- a/Gemfile
+++ b/Gemfile
@@ -31,6 +31,7 @@ gem 'phony_rails'
 gem 'premailer-rails'
 gem 'proofer', github: '18F/identity-proofer-gem', branch: 'master'
 gem 'rack-cors', require: 'rack/cors'
+gem 'rack-headers_filter'
 gem 'rack-timeout'
 gem 'readthis'
 gem 'redis-session-store', github: '18F/redis-session-store', branch: 'master'
diff --git a/Gemfile.lock b/Gemfile.lock
index e79488ee61d..4bf4b3f6f4e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -415,6 +415,7 @@ GEM
     rack-attack (5.0.1)
       rack
     rack-cors (0.4.1)
+    rack-headers_filter (0.0.1)
     rack-mini-profiler (0.10.5)
       rack (>= 1.2.0)
     rack-protection (2.0.0)
@@ -714,6 +715,7 @@ DEPENDENCIES
   proofer!
   pry-byebug
   rack-cors
+  rack-headers_filter
   rack-mini-profiler
   rack-test
   rack-timeout
diff --git a/config/application.rb b/config/application.rb
index 59cd2d469da..b851ce627c5 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -33,6 +33,8 @@ class Application < Rails::Application
       event.payload.except(:params, :headers)
     end
 
+    config.middleware.insert_before 0, Rack::HeadersFilter
+
     config.middleware.insert_before 0, Rack::Cors do
       allow do
         origins '*'
diff --git a/spec/requests/headers_spec.rb b/spec/requests/headers_spec.rb
new file mode 100644
index 00000000000..70d91a9d9f5
--- /dev/null
+++ b/spec/requests/headers_spec.rb
@@ -0,0 +1,9 @@
+require 'rails_helper'
+
+RSpec.describe 'Headers' do
+  it 'does not reflect header host values' do
+    get root_path, headers: { 'X-Forwarded-Host' => 'evil.com' }
+
+    expect(response.body).to_not include('evil.com')
+  end
+end