HTTP: If username and is empty string (default), Authorization is still used

[sebix]

if http_username and http_password are set to an empty string, as it's the default with IntelMQ Manager, then the collector does send an Authorization header:

collector: Runtime configuration: parameter 'http_password' loaded with value 'HIDDEN'.
collector: Runtime configuration: parameter 'http_username' loaded with value ''.
....
os-collector: Request headers: {'User-Agent': 'python-requests/2.32.3', 'Accept-Encoding': 'gzip, deflate, br, zstd', 'Accept': '*/*', 'Connection': 'keep-alive', 'Authorization': 'Basic Og=='}.

For endpoints which evaluate the header also, if not required, this triggers a 403.