The old CSRF middleware used exact string matching against a static list
of origins (https://host, http://localhost:port). This broke when the
frontend ran on a different port (Vite dev server) or accessed via LAN IP.
New behavior:
- Origin hostname matching: any Origin whose hostname matches cfg.Host
is trusted, regardless of scheme or port
- Localhost variants always trusted: localhost, 127.0.0.1, ::1
- Additional origins can be passed explicitly (future env var support)