diff --git a/web/src/main/java/org/phoenixctms/ctsms/web/jersey/provider/TrustedHostFilter.java b/web/src/main/java/org/phoenixctms/ctsms/web/jersey/provider/TrustedHostFilter.java
index a1d44f84e495..a7cf1409bb32 100644
--- a/web/src/main/java/org/phoenixctms/ctsms/web/jersey/provider/TrustedHostFilter.java
+++ b/web/src/main/java/org/phoenixctms/ctsms/web/jersey/provider/TrustedHostFilter.java
@@ -27,10 +27,10 @@ public class TrustedHostFilter extends ExceptionMapperBase implements ContainerR
 
 	@Override
 	public ContainerRequest filter(ContainerRequest request) {
-		if (Settings.getBoolean(SettingCodes.API_TRUSTED_HOSTS_ONLY, Bundle.SETTINGS, DefaultSettings.API_TRUSTED_HOSTS_ONLY)) { // && !WebUtil.isTrustedHost(this.request)) {
+		if (Settings.getBoolean(SettingCodes.API_TRUSTED_HOSTS_ONLY, Bundle.SETTINGS, DefaultSettings.API_TRUSTED_HOSTS_ONLY) && !WebUtil.isTrustedHost(this.request)) {
 			Pattern whitelistRegExp = Settings.getRegexp(SettingCodes.API_TRUSTED_HOSTS_ONLY_WHITELIST_PATH_REGEXP, Bundle.SETTINGS,
 					DefaultSettings.API_TRUSTED_HOSTS_ONLY_WHITELIST_REGEXP);
-			if (whitelistRegExp != null && !whitelistRegExp.matcher(request.getRequestUri().getPath()).find()) {
+			if (whitelistRegExp != null || !whitelistRegExp.matcher(request.getRequestUri().getPath()).find()) {
 				AuthorisationException ex = new AuthorisationException(Messages.getMessage(MessageCodes.HOST_NOT_ALLOWED_OR_UNKNOWN_HOST, WebUtil.getRemoteHost(this.request)));
 				ex.setErrorCode(AuthorisationExceptionCodes.HOST_NOT_ALLOWED_OR_UNKNOWN_HOST);
 				throw new WebApplicationException(ex);