Symfony version(s) affected: >= 3.2
Description

The constructor for \Symfony\Component\HttpFoundation\RedirectResponse removes the cache-control header for 301 responses, unless the caller explicitly provides a cache-control header through the $headers parameter (introduced in #17139.) However, the check on $headers['cache-control']in the constructor is case sensitive, so if the caller passes in $headers['Cache-Control'], the cache-control header is still being removed.

This was discovered in the Drupal issue queue (#3054821-10: Include Cache-Control header on 301 redirects.).

How to reproduce

$response = new RedirectResponse('foo.bar', 301, ['cache-control' => 'max-age=86400']);
$this->assertFalse($response->headers->hasCacheControlDirective('no-cache'));

$response = new RedirectResponse('foo.bar', 301, ['Cache-Control' => 'max-age=86400']);
$this->assertFalse($response->headers->hasCacheControlDirective('no-cache'));

The first unit test succeeds, the second one fails.

Possible Solution

Perform a case insensitive check on the user-supplied headers.

Additional context

This issue was raised earlier in #27574, but that issue was closed, although a comment by @curry684 said:

It's dodgy code for sure that could use some comments and improvements...