fix(mcp_server): preserve authorization header in HTTP mode

[puchy22]

Context

After bumping fastmcp from 2.14.0 to 3.2.4 in #4317, every authenticated call to the MCP server in HTTP mode started failing with ValueError: No authorization header provided. FastMCP 3.2.4 added authorization to the default exclusion set of get_http_headers() (see fastmcp/server/dependencies.py:442), so the bearer token sent by the lighthouse agent (and any other HTTP client) was being filtered out before reaching the auth flow.

Description

Pass include={"authorization"} to get_http_headers() so the authorization header survives the default exclusion and reaches ProwlerAppAuth.authenticate().

Steps to review

1. Read the change in mcp_server/prowler_mcp_server/prowler_app/utils/auth.py.
2. Run the MCP server in HTTP mode and call any authenticated tool (e.g. prowler_app_get_mutelist) with a valid Authorization: Bearer <token> header — it should now succeed instead of raising No authorization header provided.
3. Confirm STDIO mode is unaffected (the mode == "http" branch is the only change).

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md

SDK/CLI

• Are there new checks included in this PR? No

UI

• All issue/task requirements work as expected on the UI
• If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, uv, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler-mcp:b9cfaf9
Last scan: 2026-05-26 13:25:20 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	2
Total	2

2 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[prowler-bot]

💚 All backports created successfully

Status	Branch	Result
✅	v5.28

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details