diff --git a/README.md b/README.md
index a671f92a..e3d8cc54 100644
--- a/README.md
+++ b/README.md
@@ -108,6 +108,10 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
+## Next Release - 2.5.4
+
+* Discard `X-Forwarded-Host` headers
+
 ## 2.5.3 (2022-12-05)
 
 * Add support for WTForms v3 to support Debian Bookworm
diff --git a/rdiffweb/rdw_app.py b/rdiffweb/rdw_app.py
index 9e48817f..996d17c7 100644
--- a/rdiffweb/rdw_app.py
+++ b/rdiffweb/rdw_app.py
@@ -85,7 +85,7 @@
 @cherrypy.tools.currentuser(userobj=lambda username: UserObject.get_user(username))
 @cherrypy.tools.db()
 @cherrypy.tools.enrich_session()
-@cherrypy.tools.proxy(remote='X-Real-IP')
+@cherrypy.tools.proxy(local=None, remote='X-Real-IP')
 @cherrypy.tools.secure_headers()
 class Root(LocationsPage):
     def __init__(self):