Request::getHost() throws a UnexpectedValueException if the host is invalid/untrusted. This is not caught, leading to a FatalErrorException and a 500 Internal Server Error response.

This should be a 400 Bad Request response instead (it's a client not a server error; the description mentions deceptive request routing).

(For comparison, Django has a SuspiciousOperation exception that results in a HttpResponseBadRequest.)