Vulnerability in EPiServer.Forms
On the Config tab > Manage Websites there is a field Type that could be
The type indicates if a host name is the primary host, editing host, or if the host should be redirected.
From this description it's not clear what Primary host actually is used for?
If there are a number of site aliases and non marked as Primary what could be the effect?
It's used if you have old domains that are no longer used that you want to redirect to your new site. If an old domain is redirected it will 301 the user to the site marked as primary. So it's used to resolve a tie between multiple sites for redirects as I understand it if it exists more than one for the same culture. If you leave it out you might get some redirects ending up on another site than the one you want...
The editing host type is used to indicate if you have a separate server for editors for security reasons.
Redirects are more common to set up at dns level by the way so I haven't used it much...if I'm wrong, can someone please correct me? :)
Primary is used when you want to get the "official" host for your website, or the "official" host for a specific language on your website.
If you have multiple domains registered and browse on the "non official" one, getting an absolute url will give the "non official one".This is extra risky if you're sending out e-mails and needs links to pages and images from your website and you don't want your visitors to use wrong host.
Another example if you have a load balanced environment or a CDN in front of your server where www.yoursite.com has a public DNS to your loadbalancer/CDN which in turn fetch the content from your web server at behind.yoursite.com.You set up both www.yourdomain.com and behind.yourdomain.com in admin mode, but unless you set www to be primary, absolute urls generated in Episerver risk using behind.yoursite.com because the server can't really know which to use (using a CDN Episerver will most probably use behind.yoursite.com because that's the host used in the http request).
A third example, you use multiple domains for your multi-language site where www.yoursite.de goes to the German translations, www.yoursite.se to the Swedish and so on.You might have the need to use multiple domains for German but www.yoursite.de is still the official one. Make sure that this host is primary and Episerver will know for sure when generating absolute urls for German pages.
Some examples would be "old address" as Daniel mentioned. You can set permanent and temporary redirects depending on how you want SEO and various cache (such as in the browser) to handle the redirects.
You've probably seen that you can set http and https as well. This could be useful with a redirect to make sure that you need to browse your website on https.
I haven't tested this myself, but as Daniel says its purpose is to be used when you have a specific editing server. These are mostly only accesible internally by security reasons.