Skip to content

Missing http.response.headers.content-type span tag on blocking responses#10711

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 7 commits intomasterfrom
alejandro.gonzalez/APPSEC-61447-bug-blocking
Mar 5, 2026
Merged

Missing http.response.headers.content-type span tag on blocking responses#10711
gh-worker-dd-mergequeue-cf854d[bot] merged 7 commits intomasterfrom
alejandro.gonzalez/APPSEC-61447-bug-blocking

Conversation

@jandro996
Copy link
Member

@jandro996 jandro996 commented Mar 2, 2026
edited
Loading

What Does This Do

Ensures http.response.headers.content-type and http.response.headers.content-length span tags are set on blocking responses (HTTP 403).

When GatewayBridge.maybePublishRequestData() or maybePublishResponseData() returns a RequestBlockingAction, the blocking content-type and content-length are now computed deterministically from the action's BlockingContentType + the request Accept header (using BlockingActionHelper), stored on AppSecRequestContext, and written as span tags in onRequestEnded().

Motivation

Blocking handlers short-circuit the normal request/response flow, bypassing the IG responseHeader callbacks. As a result, AppSecRequestContext.responseHeaders is never populated for blocking responses, and onRequestEnded() has nothing to write — causing http.response.headers.content-type to be missing.

Additional Notes

  • The fix is fully centralized in GatewayBridge — no per-framework changes required.
  • agent-bootstrap is added as compileOnly to the appsec module so BlockingActionHelper is available at compile time. At runtime it is always accessible via the bootstrap classloader.
  • Content-length mirrors the exact byte count of the template the framework sends, includingsecurityResponseId substitution.

Contributor Checklist

Jira ticket: APPSEC-61447

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@jandro996 jandro996 added type: bug Bug report and fix comp: asm waf Application Security Management (WAF) tag: do not merge Do not merge changes labels Mar 2, 2026
@pr-commenter
Copy link

pr-commenter bot commented Mar 2, 2026
edited
Loading

Benchmarks

⚠️ Warning: Baseline build not found for merge-base commit. Comparing against the latest commit on master instead.

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61447-bug-blocking
git_commit_date 1772667027 1772699017
git_commit_sha 1108a4f 76e2fb4
release_version 1.61.0-SNAPSHOT~1108a4f664 1.61.0-SNAPSHOT~76e2fb4337
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1772700804 1772700804
ci_job_id 1477863942 1477863942
ci_pipeline_id 100533932 100533932
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-931qozxr 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-931qozxr 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 67 metrics, 4 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.61.0-SNAPSHOT~76e2fb4337, baseline=1.61.0-SNAPSHOT~1108a4f664

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.055 s) : 0, 1054703
Total [baseline] (10.938 s) : 0, 10938380
Agent [candidate] (1.054 s) : 0, 1054325
Total [candidate] (11.028 s) : 0, 11028132
section appsec
Agent [baseline] (1.243 s) : 0, 1242885
Total [baseline] (11.169 s) : 0, 11168833
Agent [candidate] (1.242 s) : 0, 1241604
Total [candidate] (11.17 s) : 0, 11169759
section iast
Agent [baseline] (1.229 s) : 0, 1229165
Total [baseline] (11.365 s) : 0, 11365070
Agent [candidate] (1.224 s) : 0, 1224259
Total [candidate] (11.299 s) : 0, 11298724
section profiling
Agent [baseline] (1.18 s) : 0, 1179645
Total [baseline] (11.06 s) : 0, 11060293
Agent [candidate] (1.193 s) : 0, 1192619
Total [candidate] (11.078 s) : 0, 11078126
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.055 s -
Agent appsec 1.243 s 188.183 ms (17.8%)
Agent iast 1.229 s 174.462 ms (16.5%)
Agent profiling 1.18 s 124.942 ms (11.8%)
Total tracing 10.938 s -
Total appsec 11.169 s 230.454 ms (2.1%)
Total iast 11.365 s 426.69 ms (3.9%)
Total profiling 11.06 s 121.914 ms (1.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.054 s -
Agent appsec 1.242 s 187.28 ms (17.8%)
Agent iast 1.224 s 169.934 ms (16.1%)
Agent profiling 1.193 s 138.295 ms (13.1%)
Total tracing 11.028 s -
Total appsec 11.17 s 141.627 ms (1.3%)
Total iast 11.299 s 270.592 ms (2.5%)
Total profiling 11.078 s 49.994 ms (0.5%) 
gantt
    title petclinic - break down per module: candidate=1.61.0-SNAPSHOT~76e2fb4337, baseline=1.61.0-SNAPSHOT~1108a4f664

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.18 ms) : 0, 1180
crashtracking [candidate] (1.198 ms) : 0, 1198
BytebuddyAgent [baseline] (626.217 ms) : 0, 626217
BytebuddyAgent [candidate] (627.141 ms) : 0, 627141
AgentMeter [baseline] (28.998 ms) : 0, 28998
AgentMeter [candidate] (29.059 ms) : 0, 29059
GlobalTracer [baseline] (255.53 ms) : 0, 255530
GlobalTracer [candidate] (256.341 ms) : 0, 256341
AppSec [baseline] (31.408 ms) : 0, 31408
AppSec [candidate] (31.416 ms) : 0, 31416
Debugger [baseline] (59.062 ms) : 0, 59062
Debugger [candidate] (59.123 ms) : 0, 59123
Remote Config [baseline] (581.345 µs) : 0, 581
Remote Config [candidate] (584.064 µs) : 0, 584
Telemetry [baseline] (8.539 ms) : 0, 8539
Telemetry [candidate] (8.622 ms) : 0, 8622
Flare Poller [baseline] (7.336 ms) : 0, 7336
Flare Poller [candidate] (4.952 ms) : 0, 4952
section appsec
crashtracking [baseline] (1.179 ms) : 0, 1179
crashtracking [candidate] (1.188 ms) : 0, 1188
BytebuddyAgent [baseline] (656.321 ms) : 0, 656321
BytebuddyAgent [candidate] (655.108 ms) : 0, 655108
AgentMeter [baseline] (11.96 ms) : 0, 11960
AgentMeter [candidate] (12.024 ms) : 0, 12024
GlobalTracer [baseline] (257.582 ms) : 0, 257582
GlobalTracer [candidate] (257.034 ms) : 0, 257034
AppSec [baseline] (177.138 ms) : 0, 177138
AppSec [candidate] (177.087 ms) : 0, 177087
Debugger [baseline] (64.561 ms) : 0, 64561
Debugger [candidate] (64.884 ms) : 0, 64884
Remote Config [baseline] (574.078 µs) : 0, 574
Remote Config [candidate] (578.338 µs) : 0, 578
Telemetry [baseline] (9.88 ms) : 0, 9880
Telemetry [candidate] (9.988 ms) : 0, 9988
Flare Poller [baseline] (3.608 ms) : 0, 3608
Flare Poller [candidate] (3.661 ms) : 0, 3661
IAST [baseline] (23.878 ms) : 0, 23878
IAST [candidate] (23.852 ms) : 0, 23852
section iast
crashtracking [baseline] (1.193 ms) : 0, 1193
crashtracking [candidate] (1.185 ms) : 0, 1185
BytebuddyAgent [baseline] (799.358 ms) : 0, 799358
BytebuddyAgent [candidate] (794.285 ms) : 0, 794285
AgentMeter [baseline] (11.508 ms) : 0, 11508
AgentMeter [candidate] (11.273 ms) : 0, 11273
GlobalTracer [baseline] (246.176 ms) : 0, 246176
GlobalTracer [candidate] (246.737 ms) : 0, 246737
AppSec [baseline] (26.215 ms) : 0, 26215
AppSec [candidate] (26.317 ms) : 0, 26317
Debugger [baseline] (63.329 ms) : 0, 63329
Debugger [candidate] (63.294 ms) : 0, 63294
Remote Config [baseline] (530.77 µs) : 0, 531
Remote Config [candidate] (529.745 µs) : 0, 530
Telemetry [baseline] (14.779 ms) : 0, 14779
Telemetry [candidate] (14.831 ms) : 0, 14831
Flare Poller [baseline] (4.915 ms) : 0, 4915
Flare Poller [candidate] (4.86 ms) : 0, 4860
IAST [baseline] (25.065 ms) : 0, 25065
IAST [candidate] (25.055 ms) : 0, 25055
section profiling
ProfilingAgent [baseline] (93.703 ms) : 0, 93703
ProfilingAgent [candidate] (94.893 ms) : 0, 94893
crashtracking [baseline] (1.16 ms) : 0, 1160
crashtracking [candidate] (1.174 ms) : 0, 1174
BytebuddyAgent [baseline] (681.837 ms) : 0, 681837
BytebuddyAgent [candidate] (688.451 ms) : 0, 688451
AgentMeter [baseline] (8.541 ms) : 0, 8541
AgentMeter [candidate] (8.689 ms) : 0, 8689
GlobalTracer [baseline] (214.89 ms) : 0, 214890
GlobalTracer [candidate] (217.597 ms) : 0, 217597
AppSec [baseline] (31.649 ms) : 0, 31649
AppSec [candidate] (32.449 ms) : 0, 32449
Debugger [baseline] (64.205 ms) : 0, 64205
Debugger [candidate] (64.193 ms) : 0, 64193
Remote Config [baseline] (565.392 µs) : 0, 565
Remote Config [candidate] (580.137 µs) : 0, 580
Telemetry [baseline] (8.887 ms) : 0, 8887
Telemetry [candidate] (9.936 ms) : 0, 9936
Flare Poller [baseline] (3.507 ms) : 0, 3507
Flare Poller [candidate] (3.52 ms) : 0, 3520
Profiling [baseline] (94.265 ms) : 0, 94265
Profiling [candidate] (95.467 ms) : 0, 95467
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.61.0-SNAPSHOT~76e2fb4337, baseline=1.61.0-SNAPSHOT~1108a4f664

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.059 s) : 0, 1058844
Total [baseline] (8.821 s) : 0, 8820767
Agent [candidate] (1.058 s) : 0, 1057739
Total [candidate] (8.86 s) : 0, 8860305
section iast
Agent [baseline] (1.233 s) : 0, 1233163
Total [baseline] (9.525 s) : 0, 9525412
Agent [candidate] (1.234 s) : 0, 1233978
Total [candidate] (9.579 s) : 0, 9578908
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.059 s -
Agent iast 1.233 s 174.32 ms (16.5%)
Total tracing 8.821 s -
Total iast 9.525 s 704.645 ms (8.0%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.058 s -
Agent iast 1.234 s 176.239 ms (16.7%)
Total tracing 8.86 s -
Total iast 9.579 s 718.603 ms (8.1%) 
gantt
    title insecure-bank - break down per module: candidate=1.61.0-SNAPSHOT~76e2fb4337, baseline=1.61.0-SNAPSHOT~1108a4f664

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.185 ms) : 0, 1185
crashtracking [candidate] (1.194 ms) : 0, 1194
BytebuddyAgent [baseline] (626.173 ms) : 0, 626173
BytebuddyAgent [candidate] (628.588 ms) : 0, 628588
AgentMeter [baseline] (29.151 ms) : 0, 29151
AgentMeter [candidate] (29.127 ms) : 0, 29127
GlobalTracer [baseline] (256.645 ms) : 0, 256645
GlobalTracer [candidate] (256.406 ms) : 0, 256406
AppSec [baseline] (31.609 ms) : 0, 31609
AppSec [candidate] (31.599 ms) : 0, 31599
Debugger [baseline] (58.881 ms) : 0, 58881
Debugger [candidate] (58.4 ms) : 0, 58400
Remote Config [baseline] (592.935 µs) : 0, 593
Remote Config [candidate] (580.538 µs) : 0, 581
Telemetry [baseline] (8.651 ms) : 0, 8651
Telemetry [candidate] (8.632 ms) : 0, 8632
Flare Poller [baseline] (10.045 ms) : 0, 10045
Flare Poller [candidate] (7.265 ms) : 0, 7265
section iast
crashtracking [baseline] (1.208 ms) : 0, 1208
crashtracking [candidate] (1.205 ms) : 0, 1205
BytebuddyAgent [baseline] (801.475 ms) : 0, 801475
BytebuddyAgent [candidate] (801.132 ms) : 0, 801132
AgentMeter [baseline] (11.394 ms) : 0, 11394
AgentMeter [candidate] (11.364 ms) : 0, 11364
GlobalTracer [baseline] (248.267 ms) : 0, 248267
GlobalTracer [candidate] (248.425 ms) : 0, 248425
AppSec [baseline] (26.492 ms) : 0, 26492
AppSec [candidate] (26.606 ms) : 0, 26606
Debugger [baseline] (62.4 ms) : 0, 62400
Debugger [candidate] (63.427 ms) : 0, 63427
Remote Config [baseline] (527.999 µs) : 0, 528
Remote Config [candidate] (522.574 µs) : 0, 523
Telemetry [baseline] (14.993 ms) : 0, 14993
Telemetry [candidate] (14.904 ms) : 0, 14904
Flare Poller [baseline] (4.917 ms) : 0, 4917
Flare Poller [candidate] (4.909 ms) : 0, 4909
IAST [baseline] (25.361 ms) : 0, 25361
IAST [candidate] (25.373 ms) : 0, 25373
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61447-bug-blocking
git_commit_date 1772667027 1772699017
git_commit_sha 1108a4f 76e2fb4
release_version 1.61.0-SNAPSHOT~1108a4f664 1.61.0-SNAPSHOT~76e2fb4337
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1772701412 1772701412
ci_job_id 1477863943 1477863943
ci_pipeline_id 100533932 100533932
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-f14f0p68 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-f14f0p68 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 3 performance improvements and 0 performance regressions! Performance is the same for 17 metrics, 16 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast:high_load better
[-152.903µs; -76.987µs] or [-6.090%; -3.066%]		 better
[-511.174µs; -193.571µs] or [-6.900%; -2.613%]		 unstable
[-69.211op/s; +225.399op/s] or [-4.920%; +16.024%]		 2.396ms 7.055ms 1484.719op/s 2.511ms 7.408ms 1406.625op/s
scenario:load:petclinic:profiling:high_load better
[-1.432ms; -0.577ms] or [-7.367%; -2.968%]		 unsure
[-1.877ms; -0.313ms] or [-6.034%; -1.006%]		 unstable
[-11.634op/s; +33.072op/s] or [-4.912%; +13.962%]		 18.440ms 30.010ms 247.594op/s 19.444ms 31.105ms 236.875op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~76e2fb4337, baseline=1.61.0-SNAPSHOT~1108a4f664
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.195 ms) : 1182, 1207
.   : milestone, 1195,
iast (3.254 ms) : 3211, 3297
.   : milestone, 3254,
iast_FULL (5.773 ms) : 5716, 5830
.   : milestone, 5773,
iast_GLOBAL (3.451 ms) : 3399, 3503
.   : milestone, 3451,
profiling (2.227 ms) : 2207, 2247
.   : milestone, 2227,
tracing (1.754 ms) : 1741, 1768
.   : milestone, 1754,
section candidate
no_agent (1.17 ms) : 1158, 1181
.   : milestone, 1170,
iast (3.079 ms) : 3042, 3117
.   : milestone, 3079,
iast_FULL (5.826 ms) : 5768, 5885
.   : milestone, 5826,
iast_GLOBAL (3.564 ms) : 3509, 3618
.   : milestone, 3564,
profiling (2.248 ms) : 2227, 2269
.   : milestone, 2248,
tracing (1.765 ms) : 1751, 1779
.   : milestone, 1765,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.195 ms [1.182 ms, 1.207 ms] -
iast 3.254 ms [3.211 ms, 3.297 ms] 2.059 ms (172.4%)
iast_FULL 5.773 ms [5.716 ms, 5.83 ms] 4.579 ms (383.3%)
iast_GLOBAL 3.451 ms [3.399 ms, 3.503 ms] 2.256 ms (188.9%)
profiling 2.227 ms [2.207 ms, 2.247 ms] 1.032 ms (86.4%)
tracing 1.754 ms [1.741 ms, 1.768 ms] 559.612 µs (46.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.17 ms [1.158 ms, 1.181 ms] -
iast 3.079 ms [3.042 ms, 3.117 ms] 1.91 ms (163.3%)
iast_FULL 5.826 ms [5.768 ms, 5.885 ms] 4.657 ms (398.1%)
iast_GLOBAL 3.564 ms [3.509 ms, 3.618 ms] 2.394 ms (204.7%)
profiling 2.248 ms [2.227 ms, 2.269 ms] 1.079 ms (92.2%)
tracing 1.765 ms [1.751 ms, 1.779 ms] 595.475 µs (50.9%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~76e2fb4337, baseline=1.61.0-SNAPSHOT~1108a4f664
    dateFormat X
    axisFormat %s
section baseline
no_agent (17.859 ms) : 17675, 18044
.   : milestone, 17859,
appsec (18.289 ms) : 18102, 18476
.   : milestone, 18289,
code_origins (17.881 ms) : 17705, 18056
.   : milestone, 17881,
iast (17.884 ms) : 17702, 18065
.   : milestone, 17884,
profiling (19.712 ms) : 19514, 19909
.   : milestone, 19712,
tracing (18.478 ms) : 18293, 18664
.   : milestone, 18478,
section candidate
no_agent (18.808 ms) : 18609, 19008
.   : milestone, 18808,
appsec (18.514 ms) : 18323, 18705
.   : milestone, 18514,
code_origins (17.87 ms) : 17692, 18048
.   : milestone, 17870,
iast (17.991 ms) : 17812, 18170
.   : milestone, 17991,
profiling (18.854 ms) : 18666, 19042
.   : milestone, 18854,
tracing (18.778 ms) : 18586, 18970
.   : milestone, 18778,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 17.859 ms [17.675 ms, 18.044 ms] -
appsec 18.289 ms [18.102 ms, 18.476 ms] 429.688 µs (2.4%)
code_origins 17.881 ms [17.705 ms, 18.056 ms] 21.595 µs (0.1%)
iast 17.884 ms [17.702 ms, 18.065 ms] 24.455 µs (0.1%)
profiling 19.712 ms [19.514 ms, 19.909 ms] 1.853 ms (10.4%)
tracing 18.478 ms [18.293 ms, 18.664 ms] 619.317 µs (3.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.808 ms [18.609 ms, 19.008 ms] -
appsec 18.514 ms [18.323 ms, 18.705 ms] -294.148 µs (-1.6%)
code_origins 17.87 ms [17.692 ms, 18.048 ms] -938.167 µs (-5.0%)
iast 17.991 ms [17.812 ms, 18.17 ms] -817.426 µs (-4.3%)
profiling 18.854 ms [18.666 ms, 19.042 ms] 45.641 µs (0.2%)
tracing 18.778 ms [18.586 ms, 18.97 ms] -30.558 µs (-0.2%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61447-bug-blocking
git_commit_date 1772667027 1772699017
git_commit_sha 1108a4f 76e2fb4
release_version 1.61.0-SNAPSHOT~1108a4f664 1.61.0-SNAPSHOT~76e2fb4337
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1772700990 1772700990
ci_job_id 1477863944 1477863944
ci_pipeline_id 100533932 100533932
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-bdsc1isw 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-bdsc1isw 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 1 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:dacapo:tomcat:appsec better
[-1.409ms; -1.061ms] or [-37.213%; -28.033%]		 2.550ms 3.785ms
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~76e2fb4337, baseline=1.61.0-SNAPSHOT~1108a4f664
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.936 s) : 14936000, 14936000
.   : milestone, 14936000,
appsec (14.79 s) : 14790000, 14790000
.   : milestone, 14790000,
iast (17.762 s) : 17762000, 17762000
.   : milestone, 17762000,
iast_GLOBAL (17.75 s) : 17750000, 17750000
.   : milestone, 17750000,
profiling (14.914 s) : 14914000, 14914000
.   : milestone, 14914000,
tracing (15.304 s) : 15304000, 15304000
.   : milestone, 15304000,
section candidate
no_agent (15.587 s) : 15587000, 15587000
.   : milestone, 15587000,
appsec (14.881 s) : 14881000, 14881000
.   : milestone, 14881000,
iast (18.042 s) : 18042000, 18042000
.   : milestone, 18042000,
iast_GLOBAL (17.559 s) : 17559000, 17559000
.   : milestone, 17559000,
profiling (14.984 s) : 14984000, 14984000
.   : milestone, 14984000,
tracing (15.209 s) : 15209000, 15209000
.   : milestone, 15209000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.936 s [14.936 s, 14.936 s] -
appsec 14.79 s [14.79 s, 14.79 s] -146.0 ms (-1.0%)
iast 17.762 s [17.762 s, 17.762 s] 2.826 s (18.9%)
iast_GLOBAL 17.75 s [17.75 s, 17.75 s] 2.814 s (18.8%)
profiling 14.914 s [14.914 s, 14.914 s] -22.0 ms (-0.1%)
tracing 15.304 s [15.304 s, 15.304 s] 368.0 ms (2.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.587 s [15.587 s, 15.587 s] -
appsec 14.881 s [14.881 s, 14.881 s] -706.0 ms (-4.5%)
iast 18.042 s [18.042 s, 18.042 s] 2.455 s (15.8%)
iast_GLOBAL 17.559 s [17.559 s, 17.559 s] 1.972 s (12.7%)
profiling 14.984 s [14.984 s, 14.984 s] -603.0 ms (-3.9%)
tracing 15.209 s [15.209 s, 15.209 s] -378.0 ms (-2.4%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~76e2fb4337, baseline=1.61.0-SNAPSHOT~1108a4f664
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.472 ms) : 1461, 1484
.   : milestone, 1472,
appsec (3.785 ms) : 3564, 4006
.   : milestone, 3785,
iast (2.258 ms) : 2189, 2327
.   : milestone, 2258,
iast_GLOBAL (2.292 ms) : 2223, 2362
.   : milestone, 2292,
profiling (2.5 ms) : 2335, 2664
.   : milestone, 2500,
tracing (2.056 ms) : 2003, 2110
.   : milestone, 2056,
section candidate
no_agent (1.473 ms) : 1461, 1485
.   : milestone, 1473,
appsec (2.55 ms) : 2493, 2608
.   : milestone, 2550,
iast (2.251 ms) : 2182, 2320
.   : milestone, 2251,
iast_GLOBAL (2.303 ms) : 2234, 2372
.   : milestone, 2303,
profiling (2.088 ms) : 2033, 2143
.   : milestone, 2088,
tracing (2.054 ms) : 2000, 2108
.   : milestone, 2054,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.472 ms [1.461 ms, 1.484 ms] -
appsec 3.785 ms [3.564 ms, 4.006 ms] 2.313 ms (157.1%)
iast 2.258 ms [2.189 ms, 2.327 ms] 785.914 µs (53.4%)
iast_GLOBAL 2.292 ms [2.223 ms, 2.362 ms] 819.681 µs (55.7%)
profiling 2.5 ms [2.335 ms, 2.664 ms] 1.027 ms (69.8%)
tracing 2.056 ms [2.003 ms, 2.11 ms] 584.089 µs (39.7%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.473 ms [1.461 ms, 1.485 ms] -
appsec 2.55 ms [2.493 ms, 2.608 ms] 1.077 ms (73.1%)
iast 2.251 ms [2.182 ms, 2.32 ms] 777.649 µs (52.8%)
iast_GLOBAL 2.303 ms [2.234 ms, 2.372 ms] 829.979 µs (56.3%)
profiling 2.088 ms [2.033 ms, 2.143 ms] 615.038 µs (41.8%)
tracing 2.054 ms [2.0 ms, 2.108 ms] 580.881 µs (39.4%)

@jandro996 @claude
fix(appsec): record blocking response content-type centrally in Gatew…
7fec408 
…ayBridge

When a WAF blocking action fires, the normal response-header IG callbacks are
bypassed, so http.response.headers.content-type never reaches the span.

Instead of patching every framework's blocking handler, intercept the blocking
flow result in GatewayBridge.maybePublishRequestData / maybePublishResponseData,
compute the deterministic content-type from RequestBlockingAction + accept header,
store it on AppSecRequestContext, and write it as a span tag in onRequestEnded().

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61447-bug-blocking branch from ff53095 to 7fec408 Compare March 4, 2026 12:29
@jandro996 jandro996 mentioned this pull request Mar 4, 2026
Closed
@jandro996 jandro996 marked this pull request as ready for review March 4, 2026 15:39
@jandro996 jandro996 requested a review from a team as a code owner March 4, 2026 15:39
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 4, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e1f41734a9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jandro996 jandro996 removed the tag: do not merge Do not merge changes label Mar 5, 2026
@jandro996 jandro996 added this pull request to the merge queue Mar 5, 2026
@dd-octo-sts
Copy link
Contributor

dd-octo-sts bot commented Mar 5, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link

gh-worker-devflow-routing-ef8351 bot commented Mar 5, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-03-05 09:36:40 UTC ℹ️ Start processing command /merge

2026-03-05 09:36:45 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 1h (p90).

2026-03-05 10:37:13 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 5, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d bot merged commit bfde4ad into master Mar 5, 2026
743 of 745 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d bot deleted the alejandro.gonzalez/APPSEC-61447-bug-blocking branch March 5, 2026 10:37
@github-actions github-actions bot added this to the 1.61.0 milestone Mar 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@claponcet claponcet claponcet approved these changes

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: bug Bug report and fix

Projects

None yet

Milestone

1.61.0

Development

Successfully merging this pull request may close these issues.

2 participants

@jandro996 @claponcet