Add security response id to AppSec blocking response

y9v · y9v · commit bb2b04f709ff · 2025-11-14T17:08:55.000+01:00
This unique identifier, introduced in `libddwaf` v1.28.0, can be used to
correlate blocked requests with logs, traces, and security events.
diff --git a/lib/datadog/appsec/assets/blocked.html b/lib/datadog/appsec/assets/blocked.html
@@ -82,12 +82,20 @@
         footer p {
             font-size: 16px
         }
+
+        .security-response-id {
+            font-size:14px;
+            color:#999;
+            margin-top:20px;
+            font-family:monospace
+        }
     </style>
 </head>
 
 <body>
     <main>
         <p>Sorry, you cannot access this page. Please contact the customer service team.</p>
+        <p class="security-response-id">Security Response ID: [security_response_id]</p>
     </main>
     <footer>
         <p>Security provided by <a
diff --git a/lib/datadog/appsec/assets/blocked.json b/lib/datadog/appsec/assets/blocked.json
@@ -1 +1 @@
-{"errors": [{"title": "You've been blocked", "detail": "Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}],"security_response_id":"[security_response_id]"}
diff --git a/lib/datadog/appsec/assets/blocked.text b/lib/datadog/appsec/assets/blocked.text
@@ -1,5 +1,7 @@
-You've been blocked
+You've been blocked.
 
 Sorry, you cannot access this page. Please contact the customer service team.
 
+Security Response ID: [security_response_id]
+
 Security provided by Datadog.
diff --git a/lib/datadog/appsec/response.rb b/lib/datadog/appsec/response.rb
@@ -7,6 +7,8 @@ module Datadog
   module AppSec
     # AppSec response
     class Response
+      SECURITY_RESPONSE_ID_PLACEHOLDER = '[security_response_id]'
+
       attr_reader :status, :headers, :body
 
       def initialize(status:, headers: {}, body: [])
@@ -37,7 +39,12 @@ def block_response(interrupt_params, http_accept_header)
           Response.new(
             status: interrupt_params['status_code']&.to_i || 403,
             headers: {'Content-Type' => content_type},
-            body: [content(content_type)],
+            body: [
+              content(
+                security_response_id: interrupt_params['security_response_id'],
+                content_type: content_type
+              )
+            ],
           )
         end
 
@@ -82,16 +89,20 @@ def content_type(http_accept_header)
           DEFAULT_CONTENT_TYPE
         end
 
-        def content(content_type)
+        def content(security_response_id:, content_type:)
           content_format = CONTENT_TYPE_TO_FORMAT[content_type]
 
           using_default = Datadog.configuration.appsec.block.templates.using_default?(content_format)
 
-          if using_default
+          template = if using_default
             Datadog::AppSec::Assets.blocked(format: content_format)
           else
             Datadog.configuration.appsec.block.templates.send(content_format)
           end
+
+          # we want to return a new string here to avoid mutating the template,
+          # since it is memoized in AppSec::Assets module
+          template.gsub(SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id.to_s)
         end
       end
     end
diff --git a/sig/datadog/appsec/response.rbs b/sig/datadog/appsec/response.rbs
@@ -1,6 +1,8 @@
 module Datadog
   module AppSec
     class Response
+      SECURITY_RESPONSE_ID_PLACEHOLDER: ::String
+
       attr_reader status: ::Integer
       attr_reader headers: ::Hash[::String, ::String]
       attr_reader body: ::Array[::String]
@@ -21,7 +23,7 @@ module Datadog
       def self.redirect_response: (::Hash[::String, ::String] interrupt_params) -> Response
 
       def self.content_type: (::String) -> ::String
-      def self.content: (::String) -> ::String
+      def self.content: (security_response_id: ::String, content_type: ::String) -> ::String
     end
   end
 end
diff --git a/spec/datadog/appsec/response_spec.rb b/spec/datadog/appsec/response_spec.rb
@@ -1,3 +1,5 @@
+require 'securerandom'
+
 require 'datadog/appsec/response'
 
 RSpec.describe Datadog::AppSec::Response do
@@ -9,12 +11,14 @@
         let(:interrupt_params) do
           {
             'type' => type,
-            'status_code' => status_code
+            'status_code' => status_code,
+            'security_response_id' => security_response_id
           }
         end
 
         let(:type) { 'html' }
         let(:status_code) { '100' }
+        let(:security_response_id) { SecureRandom.uuid }
 
         context 'status_code' do
           subject(:status) { described_class.from_interrupt_params(interrupt_params, http_accept_header).status }
@@ -31,13 +35,25 @@
         context 'body' do
           subject(:body) { described_class.from_interrupt_params(interrupt_params, http_accept_header).body }
 
-          it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :html)] }
+          it 'returns response template with substituted [security_response_id]' do
+            expect(body).to eq([
+              Datadog::AppSec::Assets
+                .blocked(format: :html)
+                .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+            ])
+          end
 
           context 'type is auto it uses the HTTP_ACCEPT to decide the result' do
             let(:type) { 'auto' }
             let(:http_accept_header) { 'application/json' }
 
-            it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :json)] }
+            it 'returns the response body with correct content type' do
+              expect(body).to eq([
+                Datadog::AppSec::Assets
+                  .blocked(format: :json)
+                  .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+              ])
+            end
           end
         end
 
@@ -60,10 +76,15 @@
           let(:interrupt_params) { {} }
           subject(:response) { described_class.from_interrupt_params(interrupt_params, http_accept_header) }
 
-          it 'uses default response' do
+          it 'uses default response and removes [security_response_id] from the template' do
             expect(response.status).to eq 403
-            expect(response.body).to eq [Datadog::AppSec::Assets.blocked(format: :html)]
             expect(response.headers['Content-Type']).to eq 'text/html'
+
+            expect(response.body).to eq([
+              Datadog::AppSec::Assets
+                .blocked(format: :html)
+                .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, '')
+            ])
           end
         end
       end
@@ -116,7 +137,14 @@
     end
 
     describe '.body' do
-      subject(:body) { described_class.from_interrupt_params({}, http_accept_header).body }
+      let(:security_response_id) { SecureRandom.uuid }
+
+      subject(:body) do
+        described_class.from_interrupt_params(
+          {'security_response_id' => security_response_id},
+          http_accept_header
+        ).body
+      end
 
       shared_examples_for 'with custom response body' do |type|
         before do
@@ -135,29 +163,53 @@
       context 'with unsupported Accept headers' do
         let(:http_accept_header) { 'application/xml' }
 
-        it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :json)] }
+        it 'returns default json template with substituted security_response_id' do
+          expect(body).to eq([
+            Datadog::AppSec::Assets
+              .blocked(format: :json)
+              .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+          ])
+        end
       end
 
       context('with Accept: text/html') do
         let(:http_accept_header) { 'text/html' }
 
-        it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :html)] }
+        it 'returns default html template with substituted security_response_id' do
+          expect(body).to eq([
+            Datadog::AppSec::Assets
+              .blocked(format: :html)
+              .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+          ])
+        end
 
         it_behaves_like 'with custom response body', :html
       end
 
       context('with Accept: application/json') do
         let(:http_accept_header) { 'application/json' }
 
-        it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :json)] }
+        it 'returns default json template with substituted security_response_id' do
+          expect(body).to eq([
+            Datadog::AppSec::Assets
+              .blocked(format: :json)
+              .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+          ])
+        end
 
         it_behaves_like 'with custom response body', :json
       end
 
       context('with Accept: text/plain') do
         let(:http_accept_header) { 'text/plain' }
 
-        it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :text)] }
+        it 'returns default text template with substituted security_response_id' do
+          expect(body).to eq([
+            Datadog::AppSec::Assets
+              .blocked(format: :text)
+              .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+          ])
+        end
 
         it_behaves_like 'with custom response body', :text
       end

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"errors": [{"title": "You've been blocked", "detail": "Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}`
	`1`	`+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}],"security_response_id":"[security_response_id]"}`