Is it normal for (fake) host in HTTP request header to recieve requests?

http routing

Yes, in fact it is so common to have such requests forwarded to your application that Django documentation devotes a paragraph just to discussing how to address common seemingly-secure configurations, explicitly warning

in many common web servers a configuration that seems to validate the Host header may not in fact do so

The simplest most obvious such case is the attacker entirely bypassing your load balancer when your application backend is accessible without going through your proxy.

In any case, because it is so notoriously hard to get right on the proxy, it may be entirely acceptable to just point out that the access log not just logs these requests, but also logs that they have been correctly rejected with a 400 HTTP status code.

Remember your application is not vulnerable to that class of spoofing attacks just because it receives these requests. What would make it vulnerable would be acting on them in any fashion that might reveal or change state. Your application should be correctly configured to validate the header and respond HTTP 400 accordingly if receiving requests with unexpected hosts.

Related

How to not propagate private IP address?
Blackbox-exporter modules header
How do I serve a localhost projects on a made up domain, such as mysite.test and testing.test simultaneously?
How does one gracefully kill a process in Windows?
Connect to production database on vps from local dev environment
At what point Site-to-Site VPN encryption ends on the AWS side
Powershell self-signed certifcate private key not exportable
"fatal: unknown service: smtp/tcp" from postfix in docker using `start-fg`
How to choose upstream based on request header
Accessing virtual machines through a web browser
Opening files in the same folder as the current file, in vim
Reading a registry key in C#