You can provide a list of allowed hostnames to protect your site from certain host header attacks.
A B2C Commerce instance responds to a request only when the instance owner added the hostname to the allowlist. B2C Commerce-provided hostnames (ending with demandware.net) are always valid. You don’t have to add them to the allowlist explicitly.