Send response headers on meta even without event (#3653)

estringana · web-flow · commit f785afe360ad · 2026-02-19T16:37:45.000+01:00
diff --git a/appsec/src/extension/tags.c b/appsec/src/extension/tags.c
@@ -535,6 +535,7 @@ static void _add_basic_tags_to_meta(
     _dd_http_client_ip(meta_ht);
 
     _dd_request_headers(meta_ht, _server, headers);
+    _dd_response_headers(meta_ht);
 }
 
 // NOLINTNEXTLINE(bugprone-easily-swappable-parameters)
diff --git a/appsec/tests/extension/ancillary_tags.phpt b/appsec/tests/extension/ancillary_tags.phpt
@@ -126,4 +126,8 @@ Array
     [http.request.headers.x-cloud-trace-context] => cloudtracecontext
     [http.request.headers.x-sigsci-requestid] => sigscirequestid
     [http.request.headers.x-sigsci-tags] => sigscitags
+    [http.response.headers.content-encoding] => foobar
+    [http.response.headers.content-language] => pt_PT
+    [http.response.headers.content-length] => 42
+    [http.response.headers.content-type] => application/json
 )
diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy
@@ -225,6 +225,26 @@ trait CommonTests {
         assert span.meta."_dd.appsec.event_rules.version" != ''
     }
 
+    @Test
+    void 'trace without event'() {
+        def respContentType = null
+        def respContentLength = null
+        def trace = container.traceFromRequest('/hello.php') { HttpResponse<InputStream> resp ->
+            assert resp.statusCode() == 200
+            def headerContentType = resp.headers().firstValue('Content-Type')
+            if (headerContentType.isPresent()) {
+                respContentType = headerContentType.get()
+            }
+        }
+
+        Span span = trace.first()
+        assert span.metrics."_dd.appsec.enabled" == 1.0d
+        assert respContentType != null && respContentType.length() > 0
+        assert span.meta."http.response.headers.content-type" == respContentType
+        assert span.meta."http.response.headers.content-encoding" == 'foobar'
+        assert span.meta."http.response.headers.content-language" == 'en'
+    }
+
     @Test
     void 'trace with an attack'() {
         HttpRequest req = container.buildReq('/hello.php')
diff --git a/appsec/tests/integration/src/test/www/base/public/hello.php b/appsec/tests/integration/src/test/www/base/public/hello.php
@@ -1,2 +1,8 @@
 <?php
-echo 'Hello world!';
+header('Content-Encoding: foobar');
+header('Content-Language: en');
+
+$content = "Hello world!";
+
+echo $content;
+

Original file line number	Diff line number	Diff line change
`@@ -535,6 +535,7 @@ static void _add_basic_tags_to_meta(`
`535`	`535`	`_dd_http_client_ip(meta_ht);`
`536`	`536`
`537`	`537`	`_dd_request_headers(meta_ht, _server, headers);`
	`538`	`+ _dd_response_headers(meta_ht);`
`538`	`539`	`}`
`539`	`540`
`540`	`541`	`// NOLINTNEXTLINE(bugprone-easily-swappable-parameters)`
Original file line number	Diff line number	Diff line change
`@@ -126,4 +126,8 @@ Array`
`126`	`126`	`[http.request.headers.x-cloud-trace-context] => cloudtracecontext`
`127`	`127`	`[http.request.headers.x-sigsci-requestid] => sigscirequestid`
`128`	`128`	`[http.request.headers.x-sigsci-tags] => sigscitags`
	`129`	`+ [http.response.headers.content-encoding] => foobar`
	`130`	`+ [http.response.headers.content-language] => pt_PT`
	`131`	`+ [http.response.headers.content-length] => 42`
	`132`	`+ [http.response.headers.content-type] => application/json`
`129`	`133`	`)`