From 7237dc2a3b55a55d76f5595fe7dc56af9af22354 Mon Sep 17 00:00:00 2001
From: Aaron Pfeifer <aaron.pfeifer@gmail.com>
Date: Thu, 20 Mar 2025 09:42:34 -0400
Subject: [PATCH] Remove non-lowercase headers in Rails default configuration
 (fixes #541)

While this gem now uses lowercase headers, the Rails default configuration still
defines non-lowercase headers.  As a result, our Railtie will not remove those
conflicting headers.

This change ensures that we're accounting for both lowercase and non-lowercase
default headers in Rails.
---
 lib/secure_headers/railtie.rb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/secure_headers/railtie.rb b/lib/secure_headers/railtie.rb
index ba255acc..64f9eec9 100644
--- a/lib/secure_headers/railtie.rb
+++ b/lib/secure_headers/railtie.rb
@@ -22,9 +22,12 @@ class Railtie < Rails::Railtie
         ActiveSupport.on_load(:action_controller) do
           include SecureHeaders
 
-          unless Rails.application.config.action_dispatch.default_headers.nil?
-            conflicting_headers.each do |header|
-              Rails.application.config.action_dispatch.default_headers.delete(header)
+          default_headers = Rails.application.config.action_dispatch.default_headers
+          unless default_headers.nil?
+            default_headers.each_key do |header|
+              if conflicting_headers.include?(header.downcase)
+                default_headers.delete(header)
+              end
             end
           end
         end