diff --git a/config/environments/production.rb b/config/environments/production.rb
index 96389b9fe..7c5b95e71 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -82,7 +82,11 @@
   config.active_record.dump_schema_after_migration = false
 
   # Enable DNS rebinding protection and other `Host` header attacks.
-  config.hosts << /.*\.forms\.service\.gov\.uk/
+  config.hosts [
+    /.*\.forms\.service\.gov\.uk/,
+    IPAddr.new('10.10.0.0/16') # for healthchecks in ECS
+  ]
+
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
 end