DNS rebinding involves changing your host's really-low-TTL A record to 127.0.0.1 (or other internal IP), and then on next request the browser will then assume that's what the host is and make call to that new IP assuming same-origin...but it sets the Host header as what the browser thinks represents that IP. If it's not localhost or 127.0.0.1 (for this use case) then we know someone tricked into thinking it was theirs that was our local IP. So check the Host to make sure it isn't someone else's host "re-bound" to your IP.