[APPSEC-61515] Move response headers tagging into Rack middleware

[Strech]

What does this PR do?

It moved response span tags assignment to be unconditional for the enabled AppSec product.

Motivation:

This is a part of the change required by frontend to be able to have a better views/correlations/etc.

Change log entry

No.

Additional Notes:

Major
Implementation is "best effort" meaning we will not risk buffering response bodies to compute the content length in order to set span tag. Meaning that in old Rails versions 4.x and steaming bodies (IO, yielding, etc) we will not be able to provide content-length span tag.

Minor
This PR includes some fixes to existing contrib as they ignored the Rack triplet specification.

How to test the change?

CI + ST

[github-actions]

Typing analysis

Note: Ignored files are excluded from the next sections.

Untyped methods

This PR introduces 2 partially typed methods, and clears 2 partially typed methods. It decreases the percentage of typed methods from 61.1% to 61.08% (-0.02%).

Partially typed methods (+2-2)

❌ Introduced:

sig/datadog/appsec/event.rbs:25
└── def self.waf_tags: (::Array[untyped]) -> tags
sig/datadog/appsec/event.rbs:29
└── def self.json_parse: (untyped value) -> ::String?

✅ Cleared:

sig/datadog/appsec/event.rbs:31
└── def self.waf_tags: (::Array[untyped]) -> tags
sig/datadog/appsec/event.rbs:37
└── def self.json_parse: (untyped value) -> ::String?

If you believe a method or an attribute is rightfully untyped or partially typed, you can add # untyped:accept on the line before the definition to remove it from the stats.

[datadog-datadog-prod-us1-2]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 98.90%
• Overall Coverage: 95.16% (+0.01%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: b770ed5 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-03-10 20:47:30

Comparing candidate commit b770ed5 in PR branch appsec-61515-add-content-headers-when-appsec-enabled with baseline commit b8438b6 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 46 metrics, 0 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

• 🟩 = significantly better candidate vs. baseline
• 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'