If I’m reading https://github.com/nginx/nginx/pull/966 right (not a given on my phone), just having Nguni in front would help because It’s now filtering the characters which make this attack possible.
But you have to be super careful about defining the mitigations for this one, as for example Cloudflare passes malicious headers as-is without extra configuration, leaving hosts vulnerable when they are assumed to be protected.
Yes. you always want to test any mitigation but Cloudflare and AWS ALBs both blocked non-DNS characters in host headers with no additional configuration when I tested it. It would be surprising if Cloudflare didn’t because the Host header is how they know which customer to route a request to.