--- server/protocol.c	2014-03-10 14:04:03.000000000 +0100
+++ server/protocol.c.new	2014-06-05 23:41:38.233573966 +0200
@@ -1063,6 +1063,21 @@
 
     apr_brigade_destroy(tmp_bb);
 
+    /*
+    * rfc2616: If Request-URI is an absoluteURI, the host is part of the
+    * Request-URI. Any Host header field value in the request MUST be
+    * ignored.
+    * We are currently ignoring it, but the Host headers are still present
+    * and may get use by naive programs as the one used for vhost choice
+    * or like a valid hostname. So enforce the 'ignore' behavior by
+    * overwritting any present Host header.
+    * Note that this is made just before the fixHostname(r) call, so this
+    * Host header entry is still not as safe as the hostname.
+    */
+    if (r->hostname && apr_table_get(r->headers_in, "Host")) {
+        apr_table_set(r->headers_in, "Host", r->hostname);
+    }
+
     /* update what we think the virtual host is based on the headers we've
      * now read. may update status.
      */