Convert downstream requests header keys to lower case

manuel-alvarez-alvarez · manuel-alvarez-alvarez · commit 85670c04df38 · 2026-01-09T11:04:43.000+01:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
@@ -58,6 +58,7 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
@@ -358,7 +359,7 @@ private Flow<Void> onHttpClientRequest(RequestContext ctx_, HttpClientRequest re
         new MapDataBundle.Builder(CAPACITY_3_4)
             .add(KnownAddresses.IO_NET_URL, request.getUrl())
             .add(KnownAddresses.IO_NET_REQUEST_METHOD, request.getMethod())
-            .add(KnownAddresses.IO_NET_REQUEST_HEADERS, request.getHeaders());
+            .add(KnownAddresses.IO_NET_REQUEST_HEADERS, toLowerCaseHeaders(request.getHeaders()));
 
     if (downstreamSampler().isSampled(ctx, request.getRequestId())) {
       final Object body = parseHttpClientBody(ctx, request);
@@ -398,7 +399,7 @@ private Flow<Void> onHttpClientResponse(RequestContext ctx_, HttpClientResponse
     final MapDataBundle.Builder bundleBuilder =
         new MapDataBundle.Builder(CAPACITY_3_4)
             .add(KnownAddresses.IO_NET_RESPONSE_STATUS, Integer.toString(response.getStatus()))
-            .add(KnownAddresses.IO_NET_RESPONSE_HEADERS, response.getHeaders());
+            .add(KnownAddresses.IO_NET_RESPONSE_HEADERS, toLowerCaseHeaders(response.getHeaders()));
     // ignore the response if not sampled
     if (downstreamSampler().isSampled(ctx, response.getRequestId())) {
       final Object body = parseHttpClientBody(ctx, response);
@@ -429,6 +430,19 @@ private Flow<Void> onHttpClientResponse(RequestContext ctx_, HttpClientResponse
     }
   }
 
+  private Map<String, List<String>> toLowerCaseHeaders(final Map<String, List<String>> headers) {
+    if (headers == null || headers.isEmpty()) {
+      return headers;
+    }
+    final Map<String, List<String>> result = new HashMap<>(headers.size());
+    for (final Map.Entry<String, List<String>> entry : headers.entrySet()) {
+      final String key = entry.getKey();
+      final List<String> value = entry.getValue();
+      result.put(key == null ? null : key.toLowerCase(Locale.ROOT), value);
+    }
+    return result;
+  }
+
   private Object parseHttpClientBody(
       final AppSecRequestContext ctx, final HttpClientPayload payload) {
     if (payload.getContentType() == null || payload.getBody() == null) {
diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy
@@ -989,7 +989,7 @@ class GatewayBridgeSpecification extends DDSpecification {
     bundle.size() == (sampled ? 4 : 3)
     bundle.get(KnownAddresses.IO_NET_URL) == url
     bundle.get(KnownAddresses.IO_NET_REQUEST_METHOD) == method
-    bundle.get(KnownAddresses.IO_NET_REQUEST_HEADERS) == headers
+    bundle.get(KnownAddresses.IO_NET_REQUEST_HEADERS) == toLowerCaseHeaders(headers)
     if (sampled) {
       bundle.get(KnownAddresses.IO_NET_REQUEST_BODY) == ['Hello': 'World!']
     }
@@ -1029,7 +1029,7 @@ class GatewayBridgeSpecification extends DDSpecification {
     }
     bundle.size() == (sampled ? 3 : 2)
     bundle.get(KnownAddresses.IO_NET_RESPONSE_STATUS) == Integer.toString(status)
-    bundle.get(KnownAddresses.IO_NET_RESPONSE_HEADERS) == headers
+    bundle.get(KnownAddresses.IO_NET_RESPONSE_HEADERS) == toLowerCaseHeaders(headers)
     if (sampled) {
       bundle.get(KnownAddresses.IO_NET_RESPONSE_BODY) == ['Hello': 'World!']
     }
@@ -1615,4 +1615,10 @@ class GatewayBridgeSpecification extends DDSpecification {
       assert body['test'] == 'this is a test'
     }
   }
+
+  static toLowerCaseHeaders(final Map<String, List<String>> headers) {
+    return headers.collectEntries {
+      [(it.key.toLowerCase(Locale.ROOT)): it.value]
+    }
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -989,7 +989,7 @@ class GatewayBridgeSpecification extends DDSpecification {`
`989`	`989`	`bundle.size() == (sampled ? 4 : 3)`
`990`	`990`	`bundle.get(KnownAddresses.IO_NET_URL) == url`
`991`	`991`	`bundle.get(KnownAddresses.IO_NET_REQUEST_METHOD) == method`
`992`		`- bundle.get(KnownAddresses.IO_NET_REQUEST_HEADERS) == headers`
	`992`	`+ bundle.get(KnownAddresses.IO_NET_REQUEST_HEADERS) == toLowerCaseHeaders(headers)`
`993`	`993`	`if (sampled) {`
`994`	`994`	`bundle.get(KnownAddresses.IO_NET_REQUEST_BODY) == ['Hello': 'World!']`
`995`	`995`	`}`
`@@ -1029,7 +1029,7 @@ class GatewayBridgeSpecification extends DDSpecification {`
`1029`	`1029`	`}`
`1030`	`1030`	`bundle.size() == (sampled ? 3 : 2)`
`1031`	`1031`	`bundle.get(KnownAddresses.IO_NET_RESPONSE_STATUS) == Integer.toString(status)`
`1032`		`- bundle.get(KnownAddresses.IO_NET_RESPONSE_HEADERS) == headers`
	`1032`	`+ bundle.get(KnownAddresses.IO_NET_RESPONSE_HEADERS) == toLowerCaseHeaders(headers)`
`1033`	`1033`	`if (sampled) {`
`1034`	`1034`	`bundle.get(KnownAddresses.IO_NET_RESPONSE_BODY) == ['Hello': 'World!']`
`1035`	`1035`	`}`
`@@ -1615,4 +1615,10 @@ class GatewayBridgeSpecification extends DDSpecification {`
`1615`	`1615`	`assert body['test'] == 'this is a test'`
`1616`	`1616`	`}`
`1617`	`1617`	`}`
	`1618`	`+`
	`1619`	`+ static toLowerCaseHeaders(final Map<String, List<String>> headers) {`
	`1620`	`+ return headers.collectEntries {`
	`1621`	`+ [(it.key.toLowerCase(Locale.ROOT)): it.value]`
	`1622`	`+ }`
	`1623`	`+ }`
`1618`	`1624`	`}`