assertRequiredHeaders() is easy to bypass #9
Description
assertRequiredHeaders() will only complain about unsigned headers if they are actually present in the request:
$requestHeaders = array_keys($request->getHeaders());
$required = array_intersect($this->getRequiredHeaders($method), $requestHeaders);
$missing = array_diff($required, $headers);
This allows requests to be accepted from sloppy clients that omit cricial information. Requests from such clients can be intercepted, manipulated, and re-played. E.g. a post request without a digest header would succeed even if the digest header was required for post requests. Such a request can be intercepted, the body manipulated, and then resent unnoticed.
Note that $request->getHeaders() will return the header names in whatever form the client sent them, not norlaized to lower-case. If the required headers a all lower case, and the client sends all upper-case headers, none of the headers will be considered "required".
Also note that the current behavior makes it impossible to effectively require (request-target), since that is never present as a header.