diff --git a/cmd/XDC/main.go b/cmd/XDC/main.go
index d12da2b726..b93795bbe3 100644
--- a/cmd/XDC/main.go
+++ b/cmd/XDC/main.go
@@ -124,8 +124,9 @@ var (
 		utils.EnableXDCPrefixFlag,
 		utils.NetworkIdFlag,
 		utils.HTTPCORSDomainFlag,
-		utils.AuthHostFlag,
+		utils.AuthListenFlag,
 		utils.AuthPortFlag,
+		utils.AuthVirtualHostsFlag,
 		utils.JWTSecretFlag,
 		utils.HTTPVirtualHostsFlag,
 		utils.EthStatsURLFlag,
diff --git a/cmd/utils/flags.go b/cmd/utils/flags.go
index 227840de93..5c1e515560 100644
--- a/cmd/utils/flags.go
+++ b/cmd/utils/flags.go
@@ -398,20 +398,26 @@ var (
 		Category: flags.APICategory,
 	}
 	// Authenticated RPC HTTP settings
-	AuthHostFlag = &cli.StringFlag{
-		Name:     "authrpc.host",
+	AuthListenFlag = &cli.StringFlag{
+		Name:     "authrpc-addr",
 		Usage:    "Listening address for authenticated APIs",
-		Value:    node.DefaultConfig.AuthHost,
+		Value:    node.DefaultConfig.AuthAddr,
 		Category: flags.APICategory,
 	}
 	AuthPortFlag = &cli.IntFlag{
-		Name:     "authrpc.port",
+		Name:     "authrpc-port",
 		Usage:    "Listening port for authenticated APIs",
 		Value:    node.DefaultConfig.AuthPort,
 		Category: flags.APICategory,
 	}
+	AuthVirtualHostsFlag = &cli.StringFlag{
+		Name:     "authrpc-vhosts",
+		Usage:    "Comma separated list of virtual hostnames from which to accept requests (server enforced). Accepts '*' wildcard.",
+		Value:    strings.Join(node.DefaultConfig.AuthVirtualHosts, ","),
+		Category: flags.APICategory,
+	}
 	JWTSecretFlag = &cli.StringFlag{
-		Name:     "authrpc.jwtsecret",
+		Name:     "authrpc-jwtsecret",
 		Usage:    "JWT secret (or path to a jwt secret) to use for authenticated RPC endpoints",
 		Category: flags.APICategory,
 	}
@@ -1040,12 +1046,15 @@ func setHTTP(ctx *cli.Context, cfg *node.Config) {
 		cfg.HTTPPort = ctx.Int(HTTPPortFlag.Name)
 	}
 
-	if ctx.IsSet(AuthHostFlag.Name) {
-		cfg.AuthHost = ctx.String(AuthHostFlag.Name)
+	if ctx.IsSet(AuthListenFlag.Name) {
+		cfg.AuthAddr = ctx.String(AuthListenFlag.Name)
 	}
 	if ctx.IsSet(AuthPortFlag.Name) {
 		cfg.AuthPort = ctx.Int(AuthPortFlag.Name)
 	}
+	if ctx.IsSet(AuthVirtualHostsFlag.Name) {
+		cfg.AuthVirtualHosts = SplitAndTrim(ctx.String(AuthVirtualHostsFlag.Name))
+	}
 
 	cfg.HTTPCors = SplitAndTrim(ctx.String(HTTPCORSDomainFlag.Name))
 	cfg.HTTPModules = SplitAndTrim(ctx.String(HTTPApiFlag.Name))
@@ -1054,7 +1063,6 @@ func setHTTP(ctx *cli.Context, cfg *node.Config) {
 	if ctx.IsSet(HTTPPathPrefixFlag.Name) {
 		cfg.HTTPPathPrefix = ctx.String(HTTPPathPrefixFlag.Name)
 	}
-
 	if ctx.IsSet(HTTPReadTimeoutFlag.Name) {
 		cfg.HTTPTimeouts.ReadTimeout = ctx.Duration(HTTPReadTimeoutFlag.Name)
 	}
diff --git a/node/config.go b/node/config.go
index 6aaf109e66..dc9f7d5e5f 100644
--- a/node/config.go
+++ b/node/config.go
@@ -138,12 +138,13 @@ type Config struct {
 	// AuthAddr is the listening address on which authenticated APIs are provided.
 	AuthAddr string `toml:",omitempty"`
 
-	// AuthHost is the listening address on which authenticated APIs are provided.
-	AuthHost string `toml:",omitempty"`
-
 	// AuthPort is the port number on which authenticated APIs are provided.
 	AuthPort int `toml:",omitempty"`
 
+	// AuthVirtualHosts is the list of virtual hostnames which are allowed on incoming requests
+	// for the authenticated api. This is by default {'localhost'}.
+	AuthVirtualHosts []string `toml:",omitempty"`
+
 	// WSHost is the host interface on which to start the websocket RPC server. If
 	// this field is empty, no websocket API endpoint will be started.
 	WSHost string
diff --git a/node/defaults.go b/node/defaults.go
index d8a51a0aba..32dc01fbf0 100644
--- a/node/defaults.go
+++ b/node/defaults.go
@@ -58,6 +58,7 @@ var DefaultConfig = Config{
 	HTTPPort:             DefaultHTTPPort,
 	AuthAddr:             DefaultAuthHost,
 	AuthPort:             DefaultAuthPort,
+	AuthVirtualHosts:     DefaultAuthVhosts,
 	HTTPModules:          []string{"net", "web3"},
 	HTTPVirtualHosts:     []string{"localhost"},
 	HTTPTimeouts:         rpc.DefaultHTTPTimeouts,
diff --git a/node/node.go b/node/node.go
index 0d373cef45..d5bb81f437 100644
--- a/node/node.go
+++ b/node/node.go
@@ -455,7 +455,7 @@ func (n *Node) startRPC() error {
 	initAuth := func(apis []rpc.API, port int, secret []byte) error {
 		// Enable auth via HTTP
 		server := n.httpAuth
-		if err := server.setListenAddr(n.config.AuthHost, port); err != nil {
+		if err := server.setListenAddr(n.config.AuthAddr, port); err != nil {
 			return err
 		}
 		sharedConfig := rpcEndpointConfig{
@@ -466,7 +466,7 @@ func (n *Node) startRPC() error {
 		}
 		err := server.enableRPC(apis, httpConfig{
 			CorsAllowedOrigins: DefaultAuthCors,
-			Vhosts:             DefaultAuthVhosts,
+			Vhosts:             n.config.AuthVirtualHosts,
 			Modules:            DefaultAuthModules,
 			prefix:             DefaultAuthPrefix,
 			rpcEndpointConfig:  sharedConfig,
@@ -478,7 +478,7 @@ func (n *Node) startRPC() error {
 
 		// Enable auth via WS
 		server = n.wsServerForPort(port, true)
-		if err := server.setListenAddr(n.config.AuthHost, port); err != nil {
+		if err := server.setListenAddr(n.config.AuthAddr, port); err != nil {
 			return err
 		}
 		if err := server.enableWS(apis, wsConfig{