Authorization header is not being filtered in events from inbound requests

[rmsy]

Issue Description

Hi 👋

In this documentation, it's stated that with sendDefaultPii false, the following happens:

When attaching HTTP requests to events, "raw" bodies (bodies which cannot be parsed as JSON or formdata) are removed, and known sensitive headers such as Authorization or Cookies are removed too.

I noticed that the Authorization header is sent as part of the request context for error and APM events, even with sendDefaultPii set to false (the Cookie header is not sent, however).

Reproduction Steps

1. Create a new Rails project, with sentry-ruby and sentry-rails
2. Initialize Sentry with a valid config, with send_default_pii not explicitly defined
3. Make requests resulting in APM and error events, with an Authorization header present
4. Observe that it is included in events sent to Sentry

Expected Behavior

With the send_default_pii default of false, the Authorization header is not sent to the server.

Actual Behavior

With the send_default_pii default of false, the Authorization header is sent to the server.

Ruby Version

2.7.4

SDK Version

4.8.2

Integration and Its Version

No response

Sentry Config

...
    config.send_default_pii = false
...

---

I'm sorry to raise two issues in a single week 😓, but I asked about this in discord and Bruno suggested the behavior was incorrect and to report it here, so I wanted to make sure to do that. Thank you for all the work you put into this SDK, Stan 🙂

[st0012]

@rmsy don't feel sorry 😅 it's my fault to let you step on 2 bugs in a week! I'm sorry about that and I really appreciate you reported the issues with details. I've added a PR to fix this 🙂

[st0012]

@rmsy don't feel sorry 😅 it's my fault to let you step on 2 bugs in a week! I'm sorry about that and I really appreciate you reported the issues with details. I've added a PR to fix this 🙂