diff --git a/internal/constants/constants.go b/internal/constants/constants.go
index 8c2b1327a..1094cf820 100644
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -5,4 +5,4 @@ const SNYK_DEFAULT_API_VERSION = "2024-04-22"
 const SNYK_DEFAULT_IN_MEMORY_THRESHOLD_MB = 512 * 1024 * 1024
 const SNYK_DOCS_URL = "https://docs.snyk.io"
 const SNYK_DOCS_ERROR_CATALOG_PATH = "/scan-with-snyk/error-catalog"
-const SNYK_DEFAULT_ALLOWED_HOST_REGEXP = `^(https?://)?api(\.(.+))?\.(snyk|snykgov)\.io$`
+const SNYK_DEFAULT_ALLOWED_HOST_REGEXP = `^(https?:\/\/)?api(\.([a-z0-9._-]+))?\.(snyk|snykgov)\.io$`
diff --git a/pkg/auth/authHost_test.go b/pkg/auth/authHost_test.go
index 8d96febd0..565779b6b 100644
--- a/pkg/auth/authHost_test.go
+++ b/pkg/auth/authHost_test.go
@@ -17,10 +17,17 @@ func Test_isValidAuthHost(t *testing.T) {
 		{"api.snyk.io", true},
 		{"api.snykgov.io", true},
 		{"api.pre-release.snykgov.io", true},
+		{"api.a.b.c.snyk.io", true},
 		{"snyk.io", false},
 		{"api.example.com", false},
 		{"api.snyk.evil.com", false},
 		{"evilsnykgov.io", false},
+		{"api.example.snyk.io.evil.com", false},
+		{"api.snyk.io.attacker.com", false},
+		{"api.snyk.io/haha", false},
+		{"api.attacker.io/haha.snyk.io", false},
+		{"token@api.snyk.io", false},
+		{"api.something api.snyk.io", false},
 	}
 
 	for _, tc := range testCases {