allowOrigin not working on 1.2.2 / K8S 1.14.3

I was running some vulnerability testings on service mesh and I got 2 things connected with istio that I can’t find how to solve: the first one was I was advised to change the response headers to not show server: envoy-proxy, the second one is that I need to whitelist specific domains in with allowOrigin (currently I have a wildcard and if I send a request from some hacking domain for example it will pass. I have tried to whitelist specific domain like http:// or or without port, but it didn’t block anything. Currently I am on 1.2.2, but tested on 1.4 as well. I saw there is a github issue about it, but did anyone manage to get around it somehow on that verison?