SECURITY: enforce hostname to match discourse hostname

This ensures that the hostname rails uses for various helpers always matches
the Discourse hostname

spec/requests/application_controller_spec.rb

@@ -213,6 +213,19 @@ RSpec.describe ApplicationController do
     end
   end
 
+  describe 'Custom hostname' do
+
+    it 'does not allow arbitrary host injection' do
+      get("/latest",
+        headers: {
+          "X-Forwarded-Host" => "test123.com"
+        }
+      )
+
+      expect(response.body).not_to include("test123")
+    end
+  end
+
   describe 'Content Security Policy' do
     it 'is enabled by SiteSettings' do
       SiteSetting.content_security_policy = false