Need help on server_host and cors_allowed_origins to avoid unauthorized access

I am trying to restrict remote access to my HA instance and need help to figure out any of this http component variable will help?
I have seen following in few examples, can someone explain what that mean please?

Also what about server_host? Can I list more than one? Any example?
I am using duckdns with let’s encrypt certificate with password access to HA but the CUJO firewall showing me lots of unauthorized access attempt on my Ubuntu machine port 8123.