Forget password and user verification code has host header vulnerability.
Attacker can generate user verification and password reset request from the server including his own domain.
Is their a better way out??
I see the problems solution as an multi tear security approach.
Apache acts as an gate keeper. Which if configured properly can restrict anonymous host headers routed to the application. (still not sure about the cache injections)
Though online anonymous domain host headers may not posses any threat to the application in https scenario.
but offline request like forget password email reset request do posses a big threat. Because evil attacker can request forget password email reset over an anonymous domain host headers. Then if the actual user clicks the password reset link. Evil attacker will get hold of the reset code.
Now here application is relying on the host headers routed by the Apache for creating offline response. That should not happen (apache should be held responsible for online traffic). Thus application should have its own mechanism for domain name configuration and creating offline responses.