diff --git a/etcdmain/config.go b/etcdmain/config.go
index 86fff2695..80ca6cb61 100644
--- a/etcdmain/config.go
+++ b/etcdmain/config.go
@@ -85,10 +85,11 @@ type config struct {
 
 // configFlags has the set of flags used for command line parsing a Config
 type configFlags struct {
-	flagSet      *flag.FlagSet
-	clusterState *flags.StringsFlag
-	fallback     *flags.StringsFlag
-	proxy        *flags.StringsFlag
+	flagSet       *flag.FlagSet
+	hostWhitelist string
+	clusterState  *flags.StringsFlag
+	fallback      *flags.StringsFlag
+	proxy         *flags.StringsFlag
 }
 
 func newConfig() *config {
@@ -189,6 +190,7 @@ func newConfig() *config {
 	fs.BoolVar(&cfg.ec.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates")
 	fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
 	fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
+	fs.StringVar(&cfg.cf.hostWhitelist, "host-whitelist", "", "Comma-separated acceptable hostnames from HTTP client requests, if server is not secure (empty means allow all).")
 
 	// logging
 	fs.BoolVar(&cfg.ec.Debug, "debug", false, "Enable debug-level logging for etcd.")
@@ -275,6 +277,12 @@ func (cfg *config) configFromCmdLine() error {
 		cfg.ec.ListenMetricsUrls = []url.URL(u)
 	}
 
+	hosts := strings.Split(cfg.cf.hostWhitelist, ",")
+	for i := range hosts {
+		hosts[i] = strings.TrimSpace(hosts[i])
+	}
+	cfg.ec.HostWhitelist = hosts
+
 	cfg.ec.ClusterState = cfg.cf.clusterState.String()
 	cfg.cp.Fallback = cfg.cf.fallback.String()
 	cfg.cp.Proxy = cfg.cf.proxy.String()
diff --git a/etcdmain/help.go b/etcdmain/help.go
index 6349a7e86..600a336f4 100644
--- a/etcdmain/help.go
+++ b/etcdmain/help.go
@@ -158,6 +158,8 @@ security flags:
 		peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided.
 	--peer-crl-file ''
 		path to the peer certificate revocation list file.
+	--host-whitelist ''
+		acceptable hostnames from HTTP client requests, if server is not secure (empty means allow all).
 
 logging flags