Introduce extra security for x-forwarded-host header

I think this secures the website even more by also checking the x-forwarded-host header for every request.
This is an addition to the previous commit

tubesync/tubesync/local_settings.py.container

@@ -19,6 +19,11 @@ CSRF_TRUSTED_ORIGINS = ALLOWED_HOSTS_STR.split(',')
 ALLOWED_HOSTS = [127.0.0.1]
 
 
+if len(ALLOWED_HOSTS_STR) > 0:
+    USE_X_FORWARDED_HOST = True
+    ALLOWED_HOSTS += CSRF_TRUSTED_ORIGINS
+
+
 DEBUG = True if os.getenv('TUBESYNC_DEBUG', False) else False
 FORCE_SCRIPT_NAME = os.getenv('DJANGO_FORCE_SCRIPT_NAME', None)
 TIME_ZONE = os.getenv('TZ', 'UTC')