prevent url injection to api calls

not properly construting the url is quite dangerous as user controlled input can lead to injection of arbitrary paths and query parameters into the url.

this changes the arcavis.server config to contain only the hostname and nothing else.