Multiple host headers forbidden in requests to prevent 'Host of Troubles' vulnerability

Change effective on 07 November 2016

To protect customer applications, the Heroku router now forbids incoming requests from using multiple host name entries in their HTTP headers. This change is compliant with RFC 7230 section 5.4 and protects applications and hosts from various forms of cache poisoning and filtering.