Add security response id to AppSec blocking response

[y9v]

What does this PR do?
This PR adds rendering of unique security response identifier in the response when AppSec blocks the request.

Motivation:
This unique identifier, introduced in libddwaf v1.28.0, can be used to correlate blocked requests with logs, traces, and security events.

Change log entry
Yes. AppSec: Add unique security response identifier in the response body for blocked requests.

Additional Notes:
APPSEC-59951.

How to test the change?
CI and manual testing.

[github-actions]

Typing analysis

Note: Ignored files are excluded from the next sections.

Untyped methods

This PR introduces 1 partially typed method, and clears 1 partially typed method.

Partially typed methods (+1-1)

❌ Introduced:

sig/datadog/appsec/response.rbs:12
└── def to_rack: () -> ::Array[untyped]

✅ Cleared:

sig/datadog/appsec/response.rbs:10
└── def to_rack: () -> ::Array[untyped]

If you believe a method or an attribute is rightfully untyped or partially typed, you can add # untyped:accept to the end of the line to remove it from the stats.

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-11-14 16:55:19

Comparing candidate commit a7b5d94 in PR branch appsec-add-security-response-id-to-blocking-response with baseline commit 49cee89 in branch master.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 43 metrics, 2 unstable metrics.

scenario:profiling - intern_all 1000 repeated strings

• 🟥 throughput [-1427.133op/s; -1349.292op/s] or [-5.330%; -5.039%]

[datadog-datadog-prod-us1]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage
• Patch Coverage: 104.55%
• Total Coverage: 98.47% (-0.04%)

View detailed report

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: a7b5d94 | Docs | Datadog PR Page | Was this helpful? Give us feedback!}