feat(security): expand inbound passthrough denylist to block protocol-level headers

[bogdanmariusc10]

🔗 Related Issue

Closes #4450

---

📝 Summary

Expands the inbound passthrough header denylist from a single entry (content-type) to 10 protocol-level headers that pose security risks when client-controlled. This prevents vhost selection attacks, cache poisoning, request smuggling, and encoding-dispatch bypasses.

What changed:

• Added _INBOUND_PASSTHROUGH_DENYLIST constant with 10 security-critical headers
• Enforced denylist in both get_passthrough_headers() and compute_passthrough_headers_cached()
• Added 13 comprehensive security tests covering individual and combined denial scenarios
• Updated existing tests to use safe alternative headers (X-Custom-Type instead of Content-Type)

Headers now blocked from inbound passthrough:

• content-type — encoding-dispatch protection (PR fix(api): support multipart/form-data and form-urlencoded for REST tool invocations #4139)
• host — vhost selection / cache-poisoning protection
• transfer-encoding — request-smuggling protection
• content-length — httpx-managed; defence-in-depth
• connection, keep-alive, proxy-connection, te, trailer, upgrade — hop-by-hop headers

Note: authorization is intentionally NOT in the denylist as it has existing gateway-auth-aware handling via X-Upstream-Authorization rename logic.

---

🏷️ Type of Change

• Bug fix
• Feature / Enhancement
• Documentation
• Refactor
• Chore (deps, CI, tooling)
• Other (describe below)

---

🧪 Verification

Check	Command	Status
Lint suite	make lint	✅ Pass
Unit tests	make test	✅ Pass
Coverage ≥ 80%	make coverage	✅ Pass

Test coverage:

• 13 new security tests in TestInboundPassthroughDenylist class
• Tests verify each header is denied via both default_passthrough_headers and per-gateway passthrough_headers
• Tests verify case-insensitive matching and WARNING-level logging
• Tests verify authorization is NOT blocked (existing special handling preserved)

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes
• Documentation updated (if applicable)
• No secrets or credentials committed

---

📓 Notes

Security rationale per header:

Header	Risk if client-supplied	Severity
host	Wrong upstream vhost selection on multi-tenant origins; cache-poisoning class	Medium
transfer-encoding	Request-smuggling primitive against fragile upstream parsers	Medium
content-type	Encoding-dispatch bypass (already fixed in PR #4139)	Medium
content-length	httpx auto-recalculates; defence-in-depth	Low
connection, keep-alive, proxy-connection, te, trailer, upgrade	Hop-by-hop — httpx manages; defence-in-depth	Low

Design decisions:

• Mirrored the protocol-level subset of existing _LOOPBACK_SKIP_HEADERS constant (same file, line 552)
• Excluded gateway-internal routing headers (mcp-session-id, x-forwarded-internally) as they only matter in loopback contexts
• Excluded authorization to preserve existing gateway-auth-aware handling
• Logs at WARNING level when blocking headers for visibility and troubleshooting

Files modified:

• mcpgateway/utils/passthrough_headers.py — added denylist constant and enforcement logic
• tests/unit/mcpgateway/utils/test_passthrough_headers_security.py — added 13 new security tests
• tests/unit/mcpgateway/utils/test_passthrough_headers.py — fixed 8 tests expecting Content-Type passthrough
• tests/unit/mcpgateway/utils/test_passthrough_headers_fixed.py — fixed 4 tests expecting Content-Type passthrough
• .secrets.baseline — updated baseline for new test content