Add basic host header injection protection

Author: citizen428

README.md

@@ -11,6 +11,7 @@ To get going clone this repository and perform the following steps:
    Alternatively perform all of the following steps manually.
 1. Change application name in `config/application.rb`.
 1. Update `database.yml` to reflect the new application name.
+1. Update `TODO` items in `config/environments/production.rb`.
 1. If you plan on using Figaro, copy `config/application.yml.example` to `config/application.yml`.
 1. ESLint is preconfigured for modern JS with React support (AirBnB styleguide). If you want to use
    it install packages with `npm install`, otherwise remove `.eslintrc` and `package.json`. 

config/environments/production.rb

@@ -93,4 +93,11 @@
 
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
+
+  # TODO: Prevent host header injection
+  # Uncomment and configure the following configuration option(s).
+  # If your environment is more difficult (subdomains or different TLDs), try
+  # https://github.com/synack/rack-allowed_hosts instead.
+  # config.action_controller.default_url_options = { host: "www.yoursite.com" }
+  # config.action_controller.asset_host = "www.yoursite.com"
 end