Django raises an `Invalid HTTP_HOST header`, it's not causing an error, I meant that it's obvious wrong and that CF WAF should catch that before reaching the origin server.

Oh, I mean the default settings are to let most requests through and block ones that meet some threshold for bad. You can tweak the settings or add your own rules though. You can easily configure CF's WAF to block Host headers with invalid characters. I personally wouldn't bother.

I wouldn't read too much into the defaults. I'm sure they're aiming for a sweet spot between blocking likely attacks and generating too many support tickets from crappy apps that rely on some non-spec behavior. It's not meant to be proof a request is well formed.