Configure hosts for application

Note: the healthcheck endpoints are requested by IP, not domain, so we
need to specifically exclude them from the protection.

config/environments/production.rb

@@ -83,4 +83,12 @@
 
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
+
+  # Enable DNS rebinding protection and other `Host` header attacks.
+  config.hosts = [
+    /content-tagger\..*gov.uk?/,
+  ]
+
+  # Skip DNS rebinding protection for the default health check endpoint.
+  config.host_authorization = { exclude: ->(request) { request.path.match?("^\/healthcheck") } }
 end