feat(tracing): collect Datadog security-testing headers on entry spans#18049
Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits intoMay 15, 2026
Merged
Conversation
Unconditionally tag `x-datadog-endpoint-scan` and `x-datadog-security-test` request headers as `http.request.headers.<name>` on any span that goes through `set_http_meta`, matching the scope of user-agent/referrer extraction. Collection does not depend on DD_TRACE_HEADER_TAGS or AppSec enablement. These headers let the API endpoint reducer distinguish scan/test traffic from real user traffic. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codeowners resolved as |
The RFC requires unconditional collection of these markers. An empty header value is a valid signal (the header is still present), so switch from `if value:` to `if value is not None:` and flip the corresponding test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dubloom
approved these changes
May 13, 2026
avara1986
approved these changes
May 13, 2026
Merged
2 tasks
brettlangdon
approved these changes
May 13, 2026
Contributor
Author
|
/merge |
|
View all feedbacks in Devflow UI.
The expected merge time in
christophe.papazian@datadoghq.com cancelled this merge request build |
christophe-papazian
added a commit
to DataDog/dd-trace-dotnet
that referenced
this pull request
May 27, 2026
…ry spans (#8682) ## Summary of changes Tag `x-datadog-endpoint-scan` and `x-datadog-security-test` HTTP request headers as `http.request.headers.<name>` on every HTTP server entry span (and the inferred-proxy span when one is created), unconditionally — independent of `DD_TRACE_HEADER_TAGS` and AppSec enablement. Markers are not propagated downstream. ## Reason for change APPSEC-65483 — RFC ["Security Testing: Trace Attribution for Inventory Enrichment and Pollution Prevention"](https://docs.google.com/document/d/1uR4QQvU8pItEV2zFqr3-L6jO2jxzmvLrFTX_yyvqIOA). These two markers let the API endpoint reducer distinguish Datadog scan/test traffic from real user traffic and keep it out of the API inventory. Sibling-tracer implementations already merged: [`dd-trace-py#18049`](DataDog/dd-trace-py#18049), [`dd-trace-js#8463`](DataDog/dd-trace-js#8463), [`dd-trace-java#11418`](DataDog/dd-trace-java#11418). ## Implementation details - New `SpanContextPropagator.AddSecurityTestingHeadersAsTags<THeaders>` reads both markers from any `IHeadersCollection` and tags them on the supplied span. Tag names are precomputed; `string[]` fast-path avoids enumerator allocation on the legacy `NameValueCollection` / `WebHeaderCollection` carriers; presence-based (empty values still tagged). - Wired into every HTTP server entry path: - `AspNetMvcIntegration` (System.Web MVC) — entry span + inferred-proxy span (proxy tagged at creation site) - `AspNetWebApi2Integration` (System.Web Web API 2) — entry span (no proxy support on this path) - `TracingHttpModule` (OWIN/IIS classic) — entry span + inferred-proxy span - `AspNetCoreHttpRequestHandler` (ASP.NET Core, including Azure Functions isolated worker HTTP-proxying mode) — entry span + inferred-proxy span - `WcfCommon` (WCF over HTTP) — entry span ## Test coverage - `SpanContextPropagatorTests_AddSecurityTestingHeadersAsTags` (new — 13 cases): both markers + unrelated header, absent headers, no `HeaderTags` config, only one marker present, empty-string value still tagged, case-insensitive lookup, ASP.NET Core `HeadersCollectionAdapter` with mixed-case lookup. - All existing `SpanContextPropagatorTests*` continue to pass. ## Other details <!-- Fixes #{issue} --> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
APPSEC-62412
Summary
Tags two new Datadog markers —
x-datadog-endpoint-scanandx-datadog-security-test— on every span that goes throughset_http_meta, ashttp.request.headers.<name>. Collection is unconditional: it happens regardless ofDD_TRACE_HEADER_TAGSor AppSec being enabled. Scope intentionally matches the existing user-agent/referrer extraction.These let the API endpoint reducer distinguish Datadog scan/test traffic from real user traffic and keep it out of the API inventory.
The dd-style tag name (
http.request.headers.<name>) is what dd-trace-py emits; the OTel-style variant (http.request.header.<name>) is handled by the reducer, not by tracers.RFC: Security Testing: Trace Attribution for Inventory Enrichment and Pollution Prevention
Test plan
tests/tracer/test_trace_utils.py::TestHeaders(5 new): unconditional collection, absent, case-sensitive lookup, empty-value, non-propagation viaHTTPPropagator.inject🤖 Generated with Claude Code