Why not validate request.hostname?

This middleware is nice, but it doesn't seem to work with `app.set('trust proxy', true)`. In such a case, the header to validate would be `x-forwarded-host`. `request.hostname` will populate with `host` header if not trusting proxy, and `x-forwarded-for` if trusted.