Duplicati upgrade - “The host header sent by the client is not allowed”
explains how it’s only trying to protect against a DNS rebinding attack.
In order to even get to the Hostnames field, you have to click this one:
Allow remote access (requires restart)
By allowing remote access, the server listens to requests from any machine on your network. If you enable this option, make sure you are always using the computer on a secure firewall protected network.
You’d be better off with some other way to do security, if it’s a concern.
What OS is this, and do you have any secured remote access onto it?
Basically get in that way and browse to Duplicati Settings on localhost.
If you wanted, you could use secure port forwarding to remote-browse.
For whatever it’s worth, you can also change this by starting Duplicati,
which might be a little easier and safer than an unencrypted database:
–webservice-allowed-hostnames: The hostnames that are accepted, separated with semicolons. If any of the hostnames are “*”, all hostnames are allowed and the hostname checking is disabled.
but it won’t provide much security. Would you trust all network access?
If you allow remote GUI or port forwarding, I think you can get localhost.
If you can remotely administer the firewall, that might be another option.