fix(core): Ensure ip address headers are stripped when lower case (#20484)

This was flagged by a claude security review and makes sense IMHO, we
should make sure to also strip IP headers when they are lower case.

While looking at that I noticed we have no tests at all for this rather
critical thing 😬 so I added some here.

Author: mydea

packages/core/src/integrations/requestdata.ts

@@ -106,12 +106,16 @@ function extractNormalizedRequestData(
       delete (headers as { cookie?: string }).cookie;
     }
 
-    // Remove IP headers in case IP data should not be included in the event
+    // Remove IP headers in case IP data should not be included in the event.
+    // Match case-insensitively — same as getClientIPAddress — so lowercase keys are stripped too.
     if (!include.ip) {
-      ipHeaderNames.forEach(ipHeaderName => {
-        // eslint-disable-next-line @typescript-eslint/no-dynamic-delete
-        delete (headers as Record<string, unknown>)[ipHeaderName];
-      });
+      const ipHeaderNamesLower = new Set(ipHeaderNames.map(name => name.toLowerCase()));
+      for (const key of Object.keys(headers)) {
+        if (ipHeaderNamesLower.has(key.toLowerCase())) {
+          // eslint-disable-next-line @typescript-eslint/no-dynamic-delete
+          delete (headers as Record<string, unknown>)[key];
+        }
+      }
     }
   }