Merge pull request #5049 from DataDog/appsec-add-security-response-id-to-blocking-response

y9v · web-flow · commit f8094b58a7cb · 2025-11-18T11:03:14.000+01:00
Add security response id to AppSec blocking response
diff --git a/lib/datadog/appsec/assets.rb b/lib/datadog/appsec/assets.rb
@@ -21,7 +21,7 @@ def waf_scanners
       end
 
       def blocked(format: :html)
-        (@blocked ||= {})[format] ||= read("blocked.#{format}")
+        (@blocked ||= {})[format] ||= read("blocked.#{format}").freeze
       end
 
       def path
diff --git a/lib/datadog/appsec/assets/blocked.html b/lib/datadog/appsec/assets/blocked.html
@@ -82,12 +82,20 @@
         footer p {
             font-size: 16px
         }
+
+        .security-response-id {
+            font-size:14px;
+            color:#999;
+            margin-top:20px;
+            font-family:monospace
+        }
     </style>
 </head>
 
 <body>
     <main>
         <p>Sorry, you cannot access this page. Please contact the customer service team.</p>
+        <p class="security-response-id">Security Response ID: [security_response_id]</p>
     </main>
     <footer>
         <p>Security provided by <a
diff --git a/lib/datadog/appsec/assets/blocked.json b/lib/datadog/appsec/assets/blocked.json
@@ -1 +1 @@
-{"errors": [{"title": "You've been blocked", "detail": "Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}],"security_response_id":"[security_response_id]"}
diff --git a/lib/datadog/appsec/assets/blocked.text b/lib/datadog/appsec/assets/blocked.text
@@ -1,5 +1,7 @@
-You've been blocked
+You've been blocked.
 
 Sorry, you cannot access this page. Please contact the customer service team.
 
+Security Response ID: [security_response_id]
+
 Security provided by Datadog.
diff --git a/lib/datadog/appsec/response.rb b/lib/datadog/appsec/response.rb
@@ -7,6 +7,8 @@ module Datadog
   module AppSec
     # AppSec response
     class Response
+      SECURITY_RESPONSE_ID_PLACEHOLDER = '[security_response_id]'
+
       attr_reader :status, :headers, :body
 
       def initialize(status:, headers: {}, body: [])
@@ -37,7 +39,12 @@ def block_response(interrupt_params, http_accept_header)
           Response.new(
             status: interrupt_params['status_code']&.to_i || 403,
             headers: {'Content-Type' => content_type},
-            body: [content(content_type)],
+            body: [
+              content(
+                security_response_id: interrupt_params['security_response_id'],
+                content_type: content_type
+              )
+            ],
           )
         end
 
@@ -82,16 +89,18 @@ def content_type(http_accept_header)
           DEFAULT_CONTENT_TYPE
         end
 
-        def content(content_type)
+        def content(security_response_id:, content_type:)
           content_format = CONTENT_TYPE_TO_FORMAT[content_type]
 
           using_default = Datadog.configuration.appsec.block.templates.using_default?(content_format)
 
-          if using_default
+          template = if using_default
             Datadog::AppSec::Assets.blocked(format: content_format)
           else
             Datadog.configuration.appsec.block.templates.send(content_format)
           end
+
+          template.gsub(SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id.to_s)
         end
       end
     end
diff --git a/sig/datadog/appsec/response.rbs b/sig/datadog/appsec/response.rbs
@@ -1,6 +1,8 @@
 module Datadog
   module AppSec
     class Response
+      SECURITY_RESPONSE_ID_PLACEHOLDER: ::String
+
       attr_reader status: ::Integer
       attr_reader headers: ::Hash[::String, ::String]
       attr_reader body: ::Array[::String]
@@ -21,7 +23,7 @@ module Datadog
       def self.redirect_response: (::Hash[::String, ::String] interrupt_params) -> Response
 
       def self.content_type: (::String) -> ::String
-      def self.content: (::String) -> ::String
+      def self.content: (security_response_id: ::String, content_type: ::String) -> ::String
     end
   end
 end
diff --git a/spec/datadog/appsec/response_spec.rb b/spec/datadog/appsec/response_spec.rb
@@ -9,12 +9,14 @@
         let(:interrupt_params) do
           {
             'type' => type,
-            'status_code' => status_code
+            'status_code' => status_code,
+            'security_response_id' => security_response_id
           }
         end
 
         let(:type) { 'html' }
         let(:status_code) { '100' }
+        let(:security_response_id) { '73bb7b99-52f6-43ea-998c-6cbc6b80f520' }
 
         context 'status_code' do
           subject(:status) { described_class.from_interrupt_params(interrupt_params, http_accept_header).status }
@@ -31,13 +33,25 @@
         context 'body' do
           subject(:body) { described_class.from_interrupt_params(interrupt_params, http_accept_header).body }
 
-          it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :html)] }
+          it 'includes security response ID in the response body' do
+            expect(body).to match_array([include(security_response_id)])
+          end
 
           context 'type is auto it uses the HTTP_ACCEPT to decide the result' do
             let(:type) { 'auto' }
             let(:http_accept_header) { 'application/json' }
 
-            it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :json)] }
+            it 'includes security response ID in the response body' do
+              expect(body).to match_array([include(security_response_id)])
+            end
+
+            it 'returns the response body with correct content type' do
+              expect(body).to eq([
+                Datadog::AppSec::Assets
+                  .blocked(format: :json)
+                  .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+              ])
+            end
           end
         end
 
@@ -60,11 +74,14 @@
           let(:interrupt_params) { {} }
           subject(:response) { described_class.from_interrupt_params(interrupt_params, http_accept_header) }
 
-          it 'uses default response' do
+          it 'uses default response replaces placeholders in the template' do
             expect(response.status).to eq 403
-            expect(response.body).to eq [Datadog::AppSec::Assets.blocked(format: :html)]
             expect(response.headers['Content-Type']).to eq 'text/html'
           end
+
+          it 'does not render security response ID placeholders' do
+            expect(response.body).not_to match_array([include(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER)])
+          end
         end
       end
 
@@ -116,7 +133,14 @@
     end
 
     describe '.body' do
-      subject(:body) { described_class.from_interrupt_params({}, http_accept_header).body }
+      let(:security_response_id) { SecureRandom.uuid }
+
+      subject(:body) do
+        described_class.from_interrupt_params(
+          {'security_response_id' => security_response_id},
+          http_accept_header
+        ).body
+      end
 
       shared_examples_for 'with custom response body' do |type|
         before do
@@ -135,29 +159,53 @@
       context 'with unsupported Accept headers' do
         let(:http_accept_header) { 'application/xml' }
 
-        it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :json)] }
+        it 'returns default json template with security response ID' do
+          expect(body).to eq([
+            Datadog::AppSec::Assets
+              .blocked(format: :json)
+              .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+          ])
+        end
       end
 
       context('with Accept: text/html') do
         let(:http_accept_header) { 'text/html' }
 
-        it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :html)] }
+        it 'returns default html template with security response ID' do
+          expect(body).to eq([
+            Datadog::AppSec::Assets
+              .blocked(format: :html)
+              .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+          ])
+        end
 
         it_behaves_like 'with custom response body', :html
       end
 
       context('with Accept: application/json') do
         let(:http_accept_header) { 'application/json' }
 
-        it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :json)] }
+        it 'returns default json template with security response ID' do
+          expect(body).to eq([
+            Datadog::AppSec::Assets
+              .blocked(format: :json)
+              .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+          ])
+        end
 
         it_behaves_like 'with custom response body', :json
       end
 
       context('with Accept: text/plain') do
         let(:http_accept_header) { 'text/plain' }
 
-        it { is_expected.to eq [Datadog::AppSec::Assets.blocked(format: :text)] }
+        it 'returns default text template with security response ID' do
+          expect(body).to eq([
+            Datadog::AppSec::Assets
+              .blocked(format: :text)
+              .gsub(Datadog::AppSec::Response::SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+          ])
+        end
 
         it_behaves_like 'with custom response body', :text
       end

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"errors": [{"title": "You've been blocked", "detail": "Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}`
	`1`	`+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}],"security_response_id":"[security_response_id]"}`