Stop suggesting @web for the Base URL value on new sites, and actively warn against it for sites that already use it—even if it was set explicitly via the aliases config setting.

Setting @web explicitly avoids a cache poisoning vulnerability, but leads to other issues:

• If Craft is accessed via multiple host names/webroots, it needs to be set dynamically based on the currently-requested URL, which adds a lot of complexity to the config.
• If there are multiple sites and at least one has a Base URL that starts with @web (and if @web is being defined correctly, based on the currently-requested URL), then that site(s) will always be treated as a candidate for serving the request. Also, Craft won’t be able to generate accurate cross-site URLs.

So instead of defaulting site Base URLs to @web/, the setting is now auto-populated with an environment variable name based on the site name (e.g. Foo Bar → $FOO_BAR_URL).