Traefik v2 host header injection remedy wrt port bypass

Using Traefik v2.7.x, KubernetesCRD (IngressRoute & Middlewares (Header variant)) and args in deployment, we have limited the host to few domains using "allowedhosts". During a vulnerability test we realized that while host (domains) are validated but the port field of the host can be bypassed and payload by a malicious user. How do we do check this part in Traefik?

Although there's a mention of address in documentation as host:port we don't actually understand how it could be implemented without any example.

Unneeded spaces to domains are written here to bypass 4 links in a post limit
For eg if I have few domains as:

a. example. com
b. example. com
c. example. com
d. example. com

We have something like:

apiVersion: traefik. containo. us/v1alpha1
kind: Middleware
name: headers-test
namespace: non-default
- a. example. com
- b. example. com
- c. example. com
- d. example. com

My expectation is to allow only https over 443 or is failing to load application service altogether.

FYI: we used the ingressroute as:

- websecure
- kind: Rule
match: Host(a. example. com) && PathPrefix(/)
- name: headers-test
- kind: Service
name: app1
namespace: non-default
port: 4321

If Host is tampered on client end with the server(Traefik) is returning 302 response with Location: indicating Host header Injection.

Request assistance.