SECURITY: enforce hostname to match discourse hostname

This ensures that the hostname rails uses for various helpers always matches
the Discourse hostname

lib/middleware/enforce_hostname.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Middleware
+  class EnforceHostname
+    def initialize(app, settings = nil)
+      @app = app
+    end
+
+    def call(env)
+      # enforces hostname to match the hostname of our connection
+      # this middleware lives after rails multisite so at this point
+      # Discourse.current_hostname MUST be canonical, enforce it so
+      # all Rails helpers are guarenteed to use it unconditionally and
+      # never generate incorrect links
+      env[Rack::Request::HTTP_X_FORWARDED_HOST] = nil
+      env[Rack::HTTP_HOST] = Discourse.current_hostname
+      @app.call(env)
+    end
+  end
+end