diff --git a/fw/hpack.c b/fw/hpack.c
index 4b72dd3bbf..7fd21d56bd 100644
--- a/fw/hpack.c
+++ b/fw/hpack.c
@@ -1556,7 +1556,15 @@ tfw_hpack_decode(TfwHPack *__restrict hp, unsigned char *__restrict src,
 
 			if (unlikely(!hp->length)) {
 				T_DBG3("%s: zero-length value\n", __func__);
-				r = T_DROP;
+
+				switch (req->pit.tag) {
+				case TFW_TAG_HDR_HOST:
+				case TFW_TAG_HDR_H2_AUTHORITY:
+					r = T_BAD;
+					break;
+				default:
+					r = T_DROP;
+				}
 				goto out;
 			}
 
diff --git a/fw/http.c b/fw/http.c
index 6acbfa99d6..b1ce70a477 100644
--- a/fw/http.c
+++ b/fw/http.c
@@ -5804,6 +5804,10 @@ tfw_http_req_process(TfwConn *conn, TfwStream *stream, struct sk_buff *skb)
 		TFW_INC_STAT_BH(clnt.msgs_parserr);
 		tfw_http_req_parse_drop(req, 400, "failed to parse request");
 		return TFW_BAD;
+	case TFW_BAD:
+		tfw_http_req_parse_block(req, 403,
+			"frang: Request authority is unknown");
+		return TFW_BLOCK;
 	case TFW_POSTPONE:
 		if (WARN_ON_ONCE(parsed != data_up.skb->len)) {
 			/*
diff --git a/fw/http_match.c b/fw/http_match.c
index 32d9262b6f..816700e062 100644
--- a/fw/http_match.c
+++ b/fw/http_match.c
@@ -427,7 +427,16 @@ match_hdr(const TfwHttpReq *req, const TfwHttpMatchRule *rule)
 	if (id == TFW_HTTP_HDR_RAW)
 		return match_hdr_raw(req, rule);
 
-	return hdr_val_eq(req, rule, id);
+	if (hdr_val_eq(req, rule, id))
+		return true;
+	switch (id) {
+	case TFW_HTTP_HDR_HOST:
+		return hdr_val_eq(req, rule, TFW_HTTP_HDR_H2_AUTHORITY);
+	case TFW_HTTP_HDR_H2_AUTHORITY:
+		return hdr_val_eq(req, rule, TFW_HTTP_HDR_HOST);
+	default:
+		return false;
+	}
 }
 
 static bool