diff --git a/lib/parklife/rails.rb b/lib/parklife/rails.rb
index d79ba01..9eff877 100644
--- a/lib/parklife/rails.rb
+++ b/lib/parklife/rails.rb
@@ -20,6 +20,25 @@ def base=(value)
   end
 
   class Railtie < Rails::Railtie
+    initializer 'parklife.disable_host_authorization' do |app|
+      # The offending middleware is included in Rails (6+) development mode and
+      # rejects a request with a 403 response if its host isn't present in the
+      # allowlist (a security feature). This prevents Parklife from working in
+      # a Rails app out of the box unless you manually add the expected
+      # Parklife base to the hosts allowlist or set it to nil to disable it -
+      # both of which aren't great because they disable the security feature
+      # whenever the development server is booted.
+      #
+      # https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
+      #
+      # However it's safe to remove the middleware at this point because it
+      # won't be executed in the normal Rails development flow, only via a
+      # Parkfile when parklife/rails is required.
+      if defined?(ActionDispatch::HostAuthorization)
+        app.middleware.delete(ActionDispatch::HostAuthorization)
+      end
+    end
+
     config.after_initialize do
       Parklife.application.config.app = Rails.application
 
diff --git a/spec/parklife/rails_spec.rb b/spec/parklife/rails_spec.rb
index 143a092..6c250a7 100644
--- a/spec/parklife/rails_spec.rb
+++ b/spec/parklife/rails_spec.rb
@@ -67,4 +67,8 @@
       [rails_app.default_url_options, ActionController::Base.relative_url_root]
     }
   end
+
+  it 'removes host authorization middleware' do
+    expect(Rails.application.middleware).not_to include(ActionDispatch::HostAuthorization)
+  end
 end