If your code assumes the Host header of the HTTP request is to be trusted, you are running a big security risk. For example, if the password reset emails your website generates rely on the supplied value of Host header, it gives an attacker an easy way to steal credentials.
Host
The Host Header
GET /login HTTP/1.1 Host: website.com Connection: keep-alive Content-Type: text/html