Andrew, Please excuse my lack of understand here. So without a self aware client (property based server host) one compromised service can exploit all services by forging the host name in the header. Correct? Regards, Dom