Lowercase header issue: SecureHeaders::OPT_OUT Fails to Remove Non-Lowercase Headers in Rails Default Config

[GabDesilets]

Bug

Gem version: 7.1.0
Rails: 6.1
Ruby: 3.3.6

Following this change from this pull-request
It introduce a regression and an unwanted behavior with some headers.

While using SecureHeaders::OPT_OUT as a value to override the X-Frame-Options header we're not deleting the header.

It happens because here in railtie.rb
we are only looking for the lowercase key values.
The default written X-Frame-Options never get match because keys are case sensitive.

This is a potential bigger issue since looking a recent version of rails action_dispatch here it is still using the non lowercase keys.

Expected outcome

1. The header is removed from the headers list in the response when using SecureHeaders::OPT_OUT.

Actual outcome

1. Any Non downcase header with the SecureHeaders::OPT_OUT value doesn't get remove.

Suggestions:

default_headers = Rails.application.config.action_dispatch.default_headers
unless default_headers.nil?
  default_headers.each_key do |header|
    if conflicting_headers.include?(header.downcase)
      default_headers.delete(header)
    end
  end
end