Skip to content

Always collect response headers in span when AppSec is enabled #10648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gh-worker-dd-mergequeue-cf854d merged 1 commit into from
Feb 20, 2026
+14 −0
Merged

Always collect response headers in span when AppSec is enabled #10648

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -920,10 +920,14 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
// Report all collected request headers on user tracking event
writeRequestHeaders(
ctx, traceSeg, REQUEST_HEADERS_ALLOW_LIST, ctx.getRequestHeaders(), false);
writeResponseHeaders(
ctx, traceSeg, RESPONSE_HEADERS_ALLOW_LIST, ctx.getResponseHeaders(), false);
} else {
// Report minimum set of collected request headers
writeRequestHeaders(
ctx, traceSeg, DEFAULT_REQUEST_HEADERS_ALLOW_LIST, ctx.getRequestHeaders(), false);
writeResponseHeaders(
ctx, traceSeg, RESPONSE_HEADERS_ALLOW_LIST, ctx.getResponseHeaders(), false);
}
// If extracted any derivatives - commit them
if (!ctx.commitDerivatives(traceSeg)) {
Expand Down
10 changes: 10 additions & 0 deletions ...agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1192,6 +1192,10 @@ class GatewayBridgeSpecification extends DDSpecification {
'x-sigsci-tags' : ['SQLI, XSS'],
'akamai-user-risk' : ['uuid=913c4545-757b-4d8d-859d-e1361a828361;status=0'],
]
mockAppSecCtx.responseHeaders >> [
'content-type' : ['text/plain'],
'content-length': ['13'],
]
final mockCtx = Stub(RequestContext) {
getData(RequestContextSlot.APPSEC) >> mockAppSecCtx
getTraceSegment() >> traceSegment
Expand All @@ -1217,6 +1221,8 @@ class GatewayBridgeSpecification extends DDSpecification {
1 * traceSegment.setTagTop('http.request.headers.x-sigsci-requestid', '55c24b96ca84c02201000001')
1 * traceSegment.setTagTop('http.request.headers.x-sigsci-tags', 'SQLI, XSS')
1 * traceSegment.setTagTop('http.request.headers.akamai-user-risk', 'uuid=913c4545-757b-4d8d-859d-e1361a828361;status=0')
1 * traceSegment.setTagTop('http.response.headers.content-type', 'text/plain')
1 * traceSegment.setTagTop('http.response.headers.content-length', '13')
}

void 'request headers are always set when there are user tracking events'() {
Expand All @@ -1226,6 +1232,9 @@ class GatewayBridgeSpecification extends DDSpecification {
getRequestHeaders() >> [
'host': ['localhost']
]
getResponseHeaders() >> [
'content-type': ['text/plain']
]
}
final mockCtx = Stub(RequestContext) {
getData(RequestContextSlot.APPSEC) >> mockAppSecCtx
Expand All @@ -1239,6 +1248,7 @@ class GatewayBridgeSpecification extends DDSpecification {

then:
(userTracking ? 1 : 0) * traceSegment.setTagTop('http.request.headers.host', 'localhost')
1 * traceSegment.setTagTop('http.response.headers.content-type', 'text/plain')

where:
tag | userTracking
Expand Down