Collect Datadog security-testing headers on HTTP server entry spans#11418
Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 4 commits intoMay 21, 2026
Conversation
Tags x-datadog-endpoint-scan and x-datadog-security-test as http.request.headers.<name> on every HTTP server entry span, unconditionally (independent of DD_TRACE_HEADER_TAGS and AppSec). When an inferred proxy span is the local root, the markers are forwarded from the service-entry span at finish time. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This comment has been minimized.
This comment has been minimized.
Address PR review nit: replace two near-identical anonymous HttpServerDecorator subclasses with one helper that takes the ContextVisitor as a parameter. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
Hi! 👋 Thanks for your pull request! 🎉 To help us review it, please make sure to:
If you need help, please check our contributing guidelines. |
manuel-alvarez-alvarez
approved these changes
May 20, 2026
manuel-alvarez-alvarez
left a comment
Member
There was a problem hiding this comment.
LGTM with the follow up to use getRequestHeader when ready.
Contributor
|
/merge |
|
View all feedbacks in Devflow UI.
The expected merge time in
The merge request has been interrupted because the build 1695803771668047523 took longer than expected. The current limit for the base branch 'master' is 120 minutes. |
Contributor
|
/merge |
|
View all feedbacks in Devflow UI.
The expected merge time in
|
christophe-papazian
added a commit
to DataDog/dd-trace-dotnet
that referenced
this pull request
May 27, 2026
…ry spans (#8682) ## Summary of changes Tag `x-datadog-endpoint-scan` and `x-datadog-security-test` HTTP request headers as `http.request.headers.<name>` on every HTTP server entry span (and the inferred-proxy span when one is created), unconditionally — independent of `DD_TRACE_HEADER_TAGS` and AppSec enablement. Markers are not propagated downstream. ## Reason for change APPSEC-65483 — RFC ["Security Testing: Trace Attribution for Inventory Enrichment and Pollution Prevention"](https://docs.google.com/document/d/1uR4QQvU8pItEV2zFqr3-L6jO2jxzmvLrFTX_yyvqIOA). These two markers let the API endpoint reducer distinguish Datadog scan/test traffic from real user traffic and keep it out of the API inventory. Sibling-tracer implementations already merged: [`dd-trace-py#18049`](DataDog/dd-trace-py#18049), [`dd-trace-js#8463`](DataDog/dd-trace-js#8463), [`dd-trace-java#11418`](DataDog/dd-trace-java#11418). ## Implementation details - New `SpanContextPropagator.AddSecurityTestingHeadersAsTags<THeaders>` reads both markers from any `IHeadersCollection` and tags them on the supplied span. Tag names are precomputed; `string[]` fast-path avoids enumerator allocation on the legacy `NameValueCollection` / `WebHeaderCollection` carriers; presence-based (empty values still tagged). - Wired into every HTTP server entry path: - `AspNetMvcIntegration` (System.Web MVC) — entry span + inferred-proxy span (proxy tagged at creation site) - `AspNetWebApi2Integration` (System.Web Web API 2) — entry span (no proxy support on this path) - `TracingHttpModule` (OWIN/IIS classic) — entry span + inferred-proxy span - `AspNetCoreHttpRequestHandler` (ASP.NET Core, including Azure Functions isolated worker HTTP-proxying mode) — entry span + inferred-proxy span - `WcfCommon` (WCF over HTTP) — entry span ## Test coverage - `SpanContextPropagatorTests_AddSecurityTestingHeadersAsTags` (new — 13 cases): both markers + unrelated header, absent headers, no `HeaderTags` config, only one marker present, empty-string value still tagged, case-insensitive lookup, ASP.NET Core `HeadersCollectionAdapter` with mixed-case lookup. - All existing `SpanContextPropagatorTests*` continue to pass. ## Other details <!-- Fixes #{issue} --> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
APPSEC-64531
Tags
x-datadog-endpoint-scanandx-datadog-security-testHTTP request headerson every HTTP server entry span as
http.request.headers.<name>, unconditionally— independent of
DD_TRACE_HEADER_TAGSand AppSec enablement.These markers let the API endpoint reducer distinguish Datadog scan/test traffic
from real user traffic and keep it out of the API inventory. They are not
propagated downstream: Java's propagator injects only
DDSpanContext, notarbitrary span tags.
When an inferred proxy span is the local root, the markers are forwarded from
the service-entry span at finish time (matching the Node.js implementation).
Test plan
HttpServerDecoratorSecurityTestingHeadersTest(new, JUnit 5)InferredProxySpanTestsfor inferred-proxy forwardingHttpServerDecoratorTest(Groovy) passes — no regression🤖 Generated with Claude Code