diff --git a/_config/requestprocessors.yml b/_config/requestprocessors.yml
index 8903a665d..c0bcbb9f2 100644
--- a/_config/requestprocessors.yml
+++ b/_config/requestprocessors.yml
@@ -3,7 +3,13 @@ Name: requestprocessors
 ---
 SilverStripe\Control\Director:
   middlewares:
+    AllowedHostsMiddleware: '%$SilverStripe\Control\AllowedHostsMiddleware'
     SessionMiddleware: 'SilverStripe\Control\SessionMiddleware'
     RequestProcessor: 'SilverStripe\Control\RequestProcessor'
     FlushMiddleware: '%$SilverStripe\Control\FlushMiddleware'
 
+
+SilverStripe\Core\Injector\Injector:
+  SilverStripe\Control\AllowedHostsMiddleware:
+    properties:
+      AllowedHosts: "`SS_ALLOWED_HOSTS`"
diff --git a/src/Control/AllowedHostsMiddleware.php b/src/Control/AllowedHostsMiddleware.php
new file mode 100644
index 000000000..533481762
--- /dev/null
+++ b/src/Control/AllowedHostsMiddleware.php
@@ -0,0 +1,45 @@
+<?php
+
+namespace SilverStripe\Control;
+
+/**
+ * Secures requests by only allowing a whitelist of Host values
+ */
+class AllowedHostsMiddleware implements HTTPMiddleware
+{
+
+    private $allowedHosts = null;
+
+    /**
+     * @return string A comma-separted list of allowed Host header values
+     */
+    public function getAllowedHosts()
+    {
+        return $this->allowedHosts;
+    }
+
+    /**
+     * @param $allowedHosts string A comma-separted list of allowed Host header values
+     */
+    public function setAllowedHosts($allowedHosts)
+    {
+        $this->allowedHosts = $allowedHosts;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function process(HTTPRequest $request, callable $delegate)
+    {
+        if ($this->allowedHosts && !Director::is_cli()) {
+            $allowedHosts = preg_split('/ *, */', $this->allowedHosts);
+
+            // check allowed hosts
+            if (!in_array($request->getHeader('Host'), $allowedHosts)) {
+                return new HTTPResponse('Invalid Host', 400);
+            }
+        }
+
+        return $delegate($request);
+    }
+}
diff --git a/src/Control/Director.php b/src/Control/Director.php
index 1042f7e7e..081d1ef42 100644
--- a/src/Control/Director.php
+++ b/src/Control/Director.php
@@ -123,14 +123,6 @@ class Director implements TemplateGlobalProvider
      */
     public static function direct(HTTPRequest $request)
     {
-        // check allowed hosts
-        if (getenv('SS_ALLOWED_HOSTS') && !static::is_cli()) {
-            $allowedHosts = explode(',', getenv('SS_ALLOWED_HOSTS'));
-            if (!in_array(static::host(), $allowedHosts)) {
-                return new HTTPResponse('Invalid Host', 400);
-            }
-        }
-
         // Generate output
         return static::handleRequest($request);
     }