Add `Enabled` option for request validation, in favor of `AllowLocal` (please provide feedback)

[Swimburger]

trafficstars

Recently, the default value for AllowLocal has been changed from true to false. This was because AllowLocal makes the request validation vulnerable to Server-Side Request Forgery.

Maybe it makes more sense to build in a kill-switch to turn on/off request validation as a whole, instead of AllowLocal. This option would respect .NET configuration's reloadOnChange feature, so it can be changed without having to restart the application.

I'm just thinking out loud here and would like feedback, thank you!

[dkrasnove]

I second this. I have to use a workaround because I'm running locally in docker.