Traefik v2 host header injection remedy wrt port bypass

Using Traefik v2.7.x, KubernetesCRD (IngressRoute & Middlewares (Header variant)) and args in deployment, we have limited the host to few domains using "allowedhosts". During a vulnerability test we realized that while host (domains) are validated but the port field of the host can be bypassed and payload by a malicious user. How do we do check this part in Traefik?

Although there's a mention of address in documentation as host:port we don't actually understand how it could be implemented without any example.

Unneeded spaces to domains are written here to bypass 4 links in a post limit
For eg if I have few domains as:

a. example. com
b. example. com
c. example. com
d. example. com

We have something like:

apiVersion: traefik. containo. us/v1alpha1
kind: Middleware
metadata:
name: headers-test
namespace: non-default
spec:
headers:
allowedHosts:
- a. example. com
- b. example. com
- c. example. com
- d. example. com


My expectation is to allow only https over 443

https://a.example.com or a.example.com:443 is failing to load application service altogether.

FYI: we used the ingressroute as:

spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(a. example. com) && PathPrefix(/)
middlewares:
- name: headers-test
services:
- kind: Service
name: app1
namespace: non-default
port: 4321


If Host is tampered on client end with google.com:8443 the server(Traefik) is returning 302 response with Location: https://google.com:8443/ indicating Host header Injection.

Request assistance.