diff --git a/chrome/content/zotero/xpcom/server.js b/chrome/content/zotero/xpcom/server.js
index 2ff681dbd..e0f49d80a 100755
--- a/chrome/content/zotero/xpcom/server.js
+++ b/chrome/content/zotero/xpcom/server.js
@@ -237,6 +237,7 @@ Zotero.Server.DataListener.prototype._headerFinished = function() {
 	Zotero.debug(this.header, 5);
 	
 	const methodRe = /^([A-Z]+) ([^ \r\n?]+)(\?[^ \r\n]+)?/;
+	const hostRe = /[\r\n]Host: *127\.0\.0\.1(:[0-9]+)?([^ \r\n]+)/i;
 	const contentTypeRe = /[\r\n]Content-Type: *([^ \r\n]+)/i;
 	
 	if(!Zotero.isServer) {
@@ -251,6 +252,12 @@ Zotero.Server.DataListener.prototype._headerFinished = function() {
 		}
 	}
 	
+	// Make sure the Host header is set to 127.0.0.1 to prevent DNS rebinding attacks
+	if (!hostRe.exec(this.header)) {
+		this._requestFinished(this._generateResponse(400, "text/plain", "Invalid Host header\n"));
+		return;
+	}
+	
 	// get first line of request
 	var method = methodRe.exec(this.header);
 	// get content-type