feat(project): increase securityTokenHeader max_length from 20 to 64 (#112483)

## Summary

Increases the `securityTokenHeader` field limit from 20 to 64 characters
in the project settings serializer.

The previous 20-char cap was too restrictive — common header names like
`X-Custom-Security-Header` (26 chars) hit the limit. 64 is a more
practical ceiling that still constrains unbounded input.

## Changes

- `src/sentry/core/endpoints/project_details.py`: `max_length=20` →
`max_length=64` on `securityTokenHeader` field
- `tests/sentry/core/endpoints/test_project_details.py`: adds
`test_security_token_header_max_length` covering:
  - exactly 64 chars accepted (boundary)
  - 65 chars rejected with 400

Test pattern matches prior art in the same test class (e.g.
`test_sensitive_fields_too_long`, `test_store_crash_reports_exceeded`).

Co-authored-by: junior <junior@sentry.io>

Author: sentry-junior[bot]

src/sentry/core/endpoints/project_details.py

@@ -229,7 +229,7 @@ class ProjectAdminSerializer(ProjectMemberSerializer):
         r"^[-a-zA-Z0-9+/=\s]+$", max_length=255, allow_blank=True
     )
     securityTokenHeader = serializers.RegexField(
-        r"^[a-zA-Z0-9_\-]+$", max_length=20, allow_blank=True
+        r"^[a-zA-Z0-9_\-]+$", max_length=64, allow_blank=True
     )
     verifySSL = serializers.BooleanField(required=False)
 

tests/sentry/core/endpoints/test_project_details.py

@@ -844,6 +844,20 @@ def test_security_token_header(self) -> None:
         assert self.project.get_option("sentry:token_header") == ""
         assert resp.data["securityTokenHeader"] == ""
 
+    def test_security_token_header_max_length(self) -> None:
+        # exactly 64 characters should succeed
+        value = "X-" + "A" * 62
+        assert len(value) == 64
+        resp = self.get_success_response(self.org_slug, self.proj_slug, securityTokenHeader=value)
+        assert self.project.get_option("sentry:token_header") == value
+        assert resp.data["securityTokenHeader"] == value
+
+        # 65 characters should fail
+        resp = self.get_error_response(
+            self.org_slug, self.proj_slug, securityTokenHeader="X-" + "A" * 63, status_code=400
+        )
+        assert b"securityTokenHeader" in resp.content
+
     def test_verify_ssl(self) -> None:
         resp = self.get_success_response(self.org_slug, self.proj_slug, verifySSL=False)
         assert self.project.get_option("sentry:verify_ssl") is False