diff --git a/core/lib/Drupal/Core/DrupalKernel.php b/core/lib/Drupal/Core/DrupalKernel.php
index 6495229..9a5d8a2 100644
--- a/core/lib/Drupal/Core/DrupalKernel.php
+++ b/core/lib/Drupal/Core/DrupalKernel.php
@@ -222,6 +222,14 @@ public static function createFromRequest(Request $request, $class_loader, $envir
     $kernel->setSitePath($site_path);
     Settings::initialize(dirname($core_root), $site_path, $class_loader);
 
+    // Initialize our list of trusted HTTP Host headers to protect against
+    // header attacks.  This can be bypassed by setting
+    // $settings['bypass_trusted_hosts'] = TRUE;
+    $bypass_trusted_hosts = Settings::get('bypass_trusted_hosts', FALSE);
+    if (PHP_SAPI !== 'cli' && !$bypass_trusted_hosts) {
+      static::setupTrustedHosts($request);
+    }
+
     // Redirect the user to the installation script if Drupal has not been
     // installed yet (i.e., if no $databases array has been defined in the
     // settings.php file) and we are not already installing.
@@ -1312,4 +1320,52 @@ public static function validateHostname(Request $request) {
     return TRUE;
   }
 
+  /**
+   * Sets up the lists of trusted HTTP Host headers.
+   *
+   * Since the HTTP Host header can be set by the user making the request, it
+   * is possible to create an attack vectors against a site by overriding this.
+   * Symfony provides a mechanism for creating a list of trusted Host values.
+   *
+   * The default list of trusted hosts is set to
+   *  - localhost
+   *  - locahost.*
+   *  - *.local
+   *  - the value of $_SERVER['SERVER_NAME'], which is set by the system
+   *    administrator.
+   *
+   * The default list should be sufficient for installations running a single
+   * site off of a canonical domain name.  Additional host patterns (as
+   * regular expressions) can be configured throught settings.php for multisite
+   * installations, sites using ServerAlias without canonical redirection, or
+   * configurations where the site responds to default requests.  For example,
+   *
+   * @code
+   * $settings['trusted_host_patterns'] = array(
+   *   '^example\.com$',
+   *   '^*.example\.com$',
+   * );
+   * @endcode
+   *
+   * @param \Symfony\Component\HttpFoundation\Request $request
+   *   The request object
+   *
+   * @see https://www.drupal.org/node/1992030
+   */
+  public static function setupTrustedHosts(Request $request) {
+    $hostPatterns = Settings::get('trusted_host_patterns', array());
+
+    $hostPatterns += array(
+      '^localhost$',
+      '^localhost\.*$',
+      '\.local$',
+    );
+
+    $server_name = $request->server->get('SERVER_NAME');
+    if (!empty($server_name)) {
+      $hostPatterns[] = $server_name;
+    }
+
+    $request->setTrustedHosts($hostPatterns);
+  }
 }