diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index f7ec7b81..9df61370 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -48,9 +48,8 @@ class ApplicationController < ActionController::Base
   # Block unknown hosts to mitigate host header injection attacks
   def block_unknown_hosts
     return unless Rails.env.production?
-    valid_hosts = ENV["SAFE_HOSTS"]
-    return raise UnsafeHostError, "SAFE_HOSTS not set in .env" if valid_hosts.blank?
-    raise UnsafeHostError, "#{request.host} is not a safe host" unless host_is_valid(valid_hosts)
+    return if config.hosts.blank?
+    raise UnsafeHostError, "#{request.host} is not a safe host" unless config.hosts.include?(request.host)
   end
 
   # Force SSL
@@ -261,15 +260,4 @@ class ApplicationController < ActionController::Base
       end
     end
   end
-
-  def host_is_valid(hosts)
-    hosts.split(",").each do |url|
-      # convert to regex
-      reg_url = url.gsub(".", "\\.")
-      sub_url = reg_url.gsub("*", ".{1,}")
-
-      return true if request.host.match(sub_url)
-    end
-    false
-  end
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 4396a57b..b47d2ed8 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -155,4 +155,6 @@ Rails.application.configure do
 
   # Set the relative url root for deployment to a subdirectory.
   config.relative_url_root = ENV['RELATIVE_URL_ROOT'] || "/b" if ENV['RELATIVE_URL_ROOT'] != "/"
+
+  config.hosts = ENV['SAFE_HOSTS'].presence || nil
 end