I suspect Rails 6.1 defaults enables the ActionDispatch::HostAuthorization middleware by default. We have introduced it in the settings.yaml here:
But the installer doesn’t expose it. AFAIK this configuration was done by default as part of some CVE fixes. Quoting the description:
This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to