diff --git a/include/class_CSRFProtection.inc b/include/class_CSRFProtection.inc
index 3ab2b6a5f9146195a9fbeea37654a1ea9b07a257..27a63f8ef43ea88b7bc15b5b817a41669e434e1b 100644
--- a/include/class_CSRFProtection.inc
+++ b/include/class_CSRFProtection.inc
@@ -56,7 +56,8 @@ class CSRFProtection
       $origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin);
       $target = FALSE;
       if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
-        $target = $_SERVER['HTTP_X_FORWARDED_HOST'];
+        /* Only take the first value, there may be several separated by commas */
+        list($target) = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST'], 2);
       } else
       if (!empty($_SERVER['HTTP_HOST'])) {
         $target = $_SERVER['HTTP_HOST'];