A request to establish a session with a first server is received from a client device. The first server is associated with a first hostname, and the request includes information identifying a second hostname purported to correspond to the first server. A Domain Name System (DNS) lookup using the second hostname is performed. A determination that the second hostname was spoofed by the client device is determined based on a response to the DNS lookup. In response to the determination being made that the request received from the client device includes the spoofed second hostname, a determination that the client device has injected or overridden at least one of an HTTP Host header and a Server Name Indicator in the request is made, and an action to take with respect to the client device is determined.