fix(appsec): explicitly set Content-Length header in block request handler#4496
Conversation
…ndler The block request handler was not explicitly setting the Content-Length header on the ResponseWriter. Go's net/http automatically calculates and sends Content-Length to the client, but does not update the Header() map with this auto-detected value. This caused the AppSec header collection code (which reads from w.Header() via ResponseHeaderCopier) to miss the Content-Length, resulting in the span tag http.response.headers.content-length being absent on blocked requests. The fix pre-computes the rendered response payload and explicitly sets Content-Length in the header map before calling WriteHeader, ensuring the header is visible to span tag collection. Co-Authored-By: Claude Opus 4.6 <[email protected]> JJ-Change-Id: yqmwrx
|
✅ Tests 🎉 All green!❄️ No new flaky tests detected 🔗 Commit SHA: fcaf08d | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback! |
BenchmarksBenchmark execution time: 2026-03-04 10:29:20 Comparing candidate commit fcaf08d in PR branch Found 0 performance improvements and 1 performance regressions! Performance is the same for 157 metrics, 6 unstable metrics.
|
…ponses The appsec block handler now sets an explicit Content-Length header. The envoy tests asserted on headers by index (SetHeaders[0]), which is fragile since http.Header map iteration order is non-deterministic. Replace index-based header assertions with a key-based lookup helper (requireSetHeader), and update Len assertions from 1 to 2 to account for the new Content-Length header. Co-Authored-By: Claude Opus 4.6 <[email protected]> JJ-Change-Id: yurmxo
Remove the bug (APPSEC-61286) marker from Test_Headers_Event_Blocking in the golang manifest. The underlying issue (missing Content-Length span tag on blocked responses) has been fixed in dd-trace-go by explicitly setting the header in the block request handler. See: DataDog/dd-trace-go#4496 Co-Authored-By: Claude Opus 4.6 <[email protected]> JJ-Change-Id: oxwxwl
Replace the bug (APPSEC-61286) marker on Test_Headers_Event_Blocking with a v2.7.0-dev version gate in the golang manifest. The underlying issue (missing Content-Length span tag on blocked responses) has been fixed in dd-trace-go by explicitly setting the header in the block request handler. See: DataDog/dd-trace-go#4496 Co-Authored-By: Claude Opus 4.6 <[email protected]> JJ-Change-Id: xryqnp
## Summary - Replace `bug (APPSEC-61286)` marker on `Test_Headers_Event_Blocking` with a `v2.7.0-dev` version gate in `manifests/golang.yml` - The underlying issue (missing `Content-Length` span tag on blocked responses) has been fixed in dd-trace-go by explicitly setting the header in the block request handler - Tracer fix: DataDog/dd-trace-go#4496 --- Co-authored-by: Claude Opus 4.6 <[email protected]>
Summary
Content-Lengthon theResponseWriterheader mapnet/httpauto-setsContent-Lengthon the wire but does not updatew.Header(), so span tag collection viaResponseHeaderCopiermissed ithttp.response.headers.content-lengthwas absent on blocked requests, causingsystem-testsTest_Headers_Event_Blockingto fail (APPSEC-61286)Content-LengthbeforeWriteHeader()Changes
instrumentation/appsec/emitter/waf/actions/block.go:newBlockRequestHandlernow computes the response body upfront and setsContent-Lengthexplicitly in the header mapinstrumentation/appsec/emitter/waf/actions/block_test.go: New test file with table-driven tests covering JSON, HTML, auto-detect, and empty security response ID cases