diff --git a/include/class_CSRFProtection.inc b/include/class_CSRFProtection.inc
index a2d8148889e33f720c0aeec3a188e0c898a7f6ac..9c80b84e54f2f25744d6c43c68832708f9fd3860 100644
--- a/include/class_CSRFProtection.inc
+++ b/include/class_CSRFProtection.inc
@@ -56,7 +56,8 @@ class CSRFProtection
       $origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin);
       $target = FALSE;
       if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
-        $target = $_SERVER['HTTP_X_FORWARDED_HOST'];
+        /* Only take the first value, there may be several separated by commas */
+        list($target) = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST'], 2);
       } else
       if (!empty($_SERVER['HTTP_HOST'])) {
         $target = $_SERVER['HTTP_HOST'];