Backport of [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass into release/1.20.x

[hc-github-team-consul-core]

Backport

This PR is auto-generated from #21816 to be assessed for backporting due to the inclusion of the label backport/1.20.

The below text is copied from the body of the original PR.

---

Description

This PR brings in all previously reviewed changes from the zalimeni/feature/net-1151-l7-intentions-security-fixes feature branch into main and release branches. All changes were previously approved as part of Enterprise reviews except for the changelog added in this PR.

Changes include:

• mesh: add options for HTTP incoming request normalization
• mesh: enable inbound URL path normalization by default
• mesh: add support for L7 header match contains and ignore_case
• ui: support L7 header match contains and ignore_case
• test: add request normalization integration bats tests
• docs: update security and reference docs for L7 intentions bypass pre…

I'll squash and rebase these commits prior to merge to make backports more manageable.

Once this PR is merged, I'll cut api across active release branches, which will allow for hashicorp/consul-k8s#4385 to be updated and merged as well, completing the cross-repo changeset.

Testing & Reproduction steps

See previous PRs for testing details. All unit and integration tests are expected to pass.

PR Checklist

• updated test coverage
• external facing docs updated
• appropriate backport labels added
• not a security concern

---

Overview of commits

• 9e7757d

[github-team-consul-core-pr-approver]

Auto approved Consul Bot automated PR