From 30f4b7064970151170c14a915fff1438980819bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Jare=C5=A1?= <Pavel.Jares@broadcom.com>
Date: Mon, 23 Mar 2026 16:16:08 +0100
Subject: [PATCH 1/9] draft of the fix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pavel Jareš <Pavel.Jares@broadcom.com>
---
 .../config/FixedHeadersConfigurer.java        | 239 ++++++++++++++++++
 .../config/NewSecurityConfiguration.java      |   6 +-
 2 files changed, 241 insertions(+), 4 deletions(-)
 create mode 100644 gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/FixedHeadersConfigurer.java

diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/FixedHeadersConfigurer.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/FixedHeadersConfigurer.java
new file mode 100644
index 0000000000..05871d4dec
--- /dev/null
+++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/FixedHeadersConfigurer.java
@@ -0,0 +1,239 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.gateway.security.config;
+
+import lombok.RequiredArgsConstructor;
+import lombok.experimental.Delegate;
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.web.header.HeaderWriter;
+import org.springframework.security.web.header.HeaderWriterFilter;
+import org.springframework.security.web.util.OnCommittedResponseWrapper;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.List;
+
+@RequiredArgsConstructor
+class FixedHeadersConfigurer<H extends HttpSecurityBuilder<H>> extends HeadersConfigurer<H> {
+
+    @Delegate(excludes = Configure.class)
+    protected final HeadersConfigurer<H> original;
+
+    public static HttpSecurity fix(HttpSecurity httpSecurity) throws Exception {
+        // remove the invalid configured
+        HeadersConfigurer originalConfigurer = httpSecurity.removeConfigurer(HeadersConfigurer.class);
+
+        // add back the fixed version
+        httpSecurity.apply(new FixedHeadersConfigurer(originalConfigurer));
+
+        return httpSecurity;
+    }
+
+    @Override
+    public void configure(H http) {
+        HeaderWriterFilter headersFilter = createHeaderWriterFilter();
+        http.addFilter(headersFilter);
+    }
+
+    private HeaderWriterFilter createHeaderWriterFilter() {
+        List<HeaderWriter> writers;
+        try {
+            Method getHeaderWriters = HeadersConfigurer.class.getDeclaredMethod("getHeaderWriters");
+            getHeaderWriters.setAccessible(true);
+            writers = (List<HeaderWriter>) getHeaderWriters.invoke(original);
+        } catch (NoSuchMethodException | SecurityException | IllegalAccessException | IllegalArgumentException |
+                 InvocationTargetException e) {
+            throw new IllegalStateException("The implementation was changed", e);
+        }
+
+        if (writers.isEmpty()) {
+            throw new IllegalStateException(
+                "Headers security is enabled, but no headers will be added. Either add headers or disable headers security");
+        }
+        HeaderWriterFilter headersFilter = new FixedHeaderWriterFilter(writers);
+        headersFilter = postProcess(headersFilter);
+        return headersFilter;
+    }
+
+    interface Configure<H extends HttpSecurityBuilder<H>> {
+
+        void configure(H http);
+
+    }
+
+    static abstract class FixedOnCommittedResponseWrapper extends OnCommittedResponseWrapper {
+
+        public FixedOnCommittedResponseWrapper(HttpServletResponse response) {
+            super(response);
+        }
+
+        @Override
+        public void addHeader(String name, String value) {
+            checkContentLengthHeader(name, value);
+            super.addHeader(name, value);
+        }
+
+        @Override
+        public void addIntHeader(String name, int value) {
+            checkContentLengthHeader(name, value);
+            super.addIntHeader(name, value);
+        }
+
+        @Override
+        public void setHeader(String name, String value) {
+            checkContentLengthHeader(name, value);
+            super.setHeader(name, value);
+        }
+
+        @Override
+        public void setIntHeader(String name, int value) {
+            checkContentLengthHeader(name, value);
+            super.setIntHeader(name, value);
+        }
+
+        private void checkContentLengthHeader(String name, int value) {
+            if ("Content-Length".equalsIgnoreCase(name)) {
+                setContentLength(value);
+            }
+        }
+
+        private void checkContentLengthHeader(String name, String value) {
+            if ("Content-Length".equalsIgnoreCase(name)) {
+                setContentLength(Integer.parseInt(value));
+            }
+        }
+
+    }
+
+    static class FixedHeaderWriterFilter extends HeaderWriterFilter {
+
+        private final List<HeaderWriter> headerWriters;
+
+        private boolean shouldWriteHeadersEagerly = false;
+
+        public FixedHeaderWriterFilter(List<HeaderWriter> headerWriters) {
+            super(headerWriters);
+            this.headerWriters = headerWriters;
+        }
+
+        @Override
+        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+            if (this.shouldWriteHeadersEagerly) {
+                doHeadersBefore(request, response, filterChain);
+            }
+            else {
+                doHeadersAfter(request, response, filterChain);
+            }
+        }
+
+        private void doHeadersBefore(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws IOException, ServletException {
+            writeHeaders(request, response);
+            filterChain.doFilter(request, response);
+        }
+
+        private void doHeadersAfter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws IOException, ServletException {
+            FixedHeaderWriterResponse headerWriterResponse = new FixedHeaderWriterResponse(request, response);
+            FixedHeaderWriterRequest headerWriterRequest = new FixedHeaderWriterRequest(request, headerWriterResponse);
+            try {
+                filterChain.doFilter(headerWriterRequest, headerWriterResponse);
+            }
+            finally {
+                headerWriterResponse.writeHeaders();
+            }
+        }
+
+        void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
+            for (HeaderWriter writer : this.headerWriters) {
+                writer.writeHeaders(request, response);
+            }
+        }
+
+        class FixedHeaderWriterResponse extends FixedOnCommittedResponseWrapper {
+
+            private final HttpServletRequest request;
+
+            FixedHeaderWriterResponse(HttpServletRequest request, HttpServletResponse response) {
+                super(response);
+                this.request = request;
+            }
+
+            @Override
+            protected void onResponseCommitted() {
+                writeHeaders();
+                this.disableOnResponseCommitted();
+            }
+
+            protected void writeHeaders() {
+                if (isDisableOnResponseCommitted()) {
+                    return;
+                }
+                FixedHeaderWriterFilter.this.writeHeaders(this.request, getHttpResponse());
+            }
+
+            private HttpServletResponse getHttpResponse() {
+                return (HttpServletResponse) getResponse();
+            }
+
+        }
+
+        static class FixedHeaderWriterRequest extends HttpServletRequestWrapper {
+
+            private final FixedHeaderWriterResponse response;
+
+            FixedHeaderWriterRequest(HttpServletRequest request, FixedHeaderWriterResponse response) {
+                super(request);
+                this.response = response;
+            }
+
+            @Override
+            public RequestDispatcher getRequestDispatcher(String path) {
+                return new FixedHeaderWriterFilter.FixedHeaderWriterRequestDispatcher(super.getRequestDispatcher(path), this.response);
+            }
+
+        }
+
+        static class FixedHeaderWriterRequestDispatcher implements RequestDispatcher {
+
+            private final RequestDispatcher delegate;
+
+            private final FixedHeaderWriterResponse response;
+
+            FixedHeaderWriterRequestDispatcher(RequestDispatcher delegate, FixedHeaderWriterResponse response) {
+                this.delegate = delegate;
+                this.response = response;
+            }
+
+            @Override
+            public void forward(ServletRequest request, ServletResponse response) throws ServletException, IOException {
+                this.delegate.forward(request, response);
+            }
+
+            @Override
+            public void include(ServletRequest request, ServletResponse response) throws ServletException, IOException {
+                this.response.onResponseCommitted();
+                this.delegate.include(request, response);
+            }
+
+        }
+
+    }
+
+}
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java
index bf4918f077..f2174e58a3 100644
--- a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java
+++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java
@@ -649,7 +649,7 @@ protected HttpSecurity baseConfigure(HttpSecurity http) throws Exception {
             http.addFilterBefore(new AttlsFilter(), org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter.class);
             http.addFilterBefore(new SecureConnectionFilter(), AttlsFilter.class);
         }
-        return http
+        return FixedHeadersConfigurer.fix(http
             .cors(withDefaults()).csrf(csrf -> csrf.disable())    // NOSONAR we are using SAMESITE cookie to mitigate CSRF
             .headers(headers -> headers
                 .httpStrictTransportSecurity(HeadersConfigurer.HstsConfig::disable)
@@ -658,9 +658,7 @@ protected HttpSecurity baseConfigure(HttpSecurity http) throws Exception {
             .exceptionHandling(handling -> handling
                 .authenticationEntryPoint(handlerInitializer.getBasicAuthUnauthorizedHandler()))
             .sessionManagement(management -> management
-                .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-            .exceptionHandling(handling -> handling
-                .authenticationEntryPoint(handlerInitializer.getBasicAuthUnauthorizedHandler()));
+                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)));
     }
 
     private UserDetailsService x509UserDetailsService() {

From 8e54689e6d7d54ebe51457a0b85af93dad0628a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Jare=C5=A1?= <Pavel.Jares@broadcom.com>
Date: Tue, 24 Mar 2026 13:37:42 +0100
Subject: [PATCH 2/9] test on GW
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pavel Jareš <Pavel.Jares@broadcom.com>
---
 .../acceptance/ResponseHeaderFixTest.java     | 112 ++++++++++++++++++
 1 file changed, 112 insertions(+)
 create mode 100644 gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java

diff --git a/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java b/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
new file mode 100644
index 0000000000..fbcadaa602
--- /dev/null
+++ b/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
@@ -0,0 +1,112 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.acceptance;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.server.LocalServerPort;
+import org.springframework.context.annotation.Profile;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RestController;
+import org.zowe.apiml.gateway.GatewayApplication;
+
+import javax.servlet.http.HttpServletResponse;
+
+import static io.restassured.RestAssured.given;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+
+@SpringBootTest(
+    classes = {
+        GatewayApplication.class,
+        ResponseHeaderFixTest.TestController.class
+    },
+    webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT
+)
+@ActiveProfiles("ResponseHeaderFixTest")
+public class ResponseHeaderFixTest {
+
+    private static final int TEST_CONTENT_LENGTH = 101;
+    private static final String CONTENT_LENGHT = "Content-Length";
+
+    @LocalServerPort
+    protected int port;
+
+    @ParameterizedTest(name = "Test handling setting context-type using {1}")
+    @CsvSource({
+        "0,addHeader(String name, String value)",
+        "1,setHeader(String name, String value)",
+        "2,setIntHeader(String name, int value)",
+        "3,addIntHeader(String name, int value)"
+    })
+    void givenRequest_whenSetContentLength_thenIsPropagated(int method, String description) {
+        given()
+            .relaxedHTTPSValidation()
+        .when()
+            .get(String.format("https://localhost:%d/test/%d/%s", port, method, CONTENT_LENGHT))
+        .then()
+            .statusCode(SC_OK)
+            .header(CONTENT_LENGHT, String.valueOf(TEST_CONTENT_LENGTH))
+            .header("Strict-Transport-Security", is(notNullValue()))
+            .header("X-XSS-Protection", is(notNullValue()));
+    }
+
+    @ParameterizedTest(name = "Test handling headers without content-type using {1}")
+    @CsvSource({
+        "0,addHeader(String name, String value)",
+        "1,setHeader(String name, String value)",
+        "2,setIntHeader(String name, int value)",
+        "3,addIntHeader(String name, int value)"
+    })
+    void givenRequest_whenDontSetContentLength_thenIsMissing(int method, String description) {
+        given()
+            .relaxedHTTPSValidation()
+        .when()
+            .get(String.format("https://localhost:%d/test/%d/%s", port, method, "otherHeaderName"))
+        .then()
+            .statusCode(SC_OK)
+            .header(CONTENT_LENGHT,"0")
+            .header("Strict-Transport-Security", is(notNullValue()))
+            .header("X-XSS-Protection", is(notNullValue()));
+    }
+
+    @RestController
+    @Profile("ResponseHeaderFixTest")
+    static class TestController {
+
+        @GetMapping(value = "/test/{method}/{headerName}")
+        public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerName") String headerName, HttpServletResponse response) {
+            switch(method) {
+                case 0:
+                    response.addHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
+                    break;
+                case 1:
+                    response.setHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
+                    break;
+                case 2:
+                    response.setIntHeader(headerName, TEST_CONTENT_LENGTH);
+                    break;
+                case 3:
+                    response.addIntHeader(headerName, TEST_CONTENT_LENGTH);
+                    break;
+                default:
+                    throw new IllegalArgumentException("Uknown method: " + method);
+            }
+
+        }
+
+    }
+
+}

From c2b53cb4c5f2f8eb4be17200b5b691f3c4235392 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Jare=C5=A1?= <Pavel.Jares@broadcom.com>
Date: Tue, 24 Mar 2026 17:36:09 +0100
Subject: [PATCH 3/9]  rollout + tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pavel Jareš <Pavel.Jares@broadcom.com>
---
 .../security/SecurityConfiguration.java       |   8 +-
 .../standalone/StandaloneSecurityConfig.java  |  24 ++--
 .../acceptance/ResponseHeaderFixTest.java     | 111 +++++++++++++++
 .../caching/config/SpringSecurityConfig.java  |   3 +-
 .../acceptance/ResponseHeaderFixTest.java     | 132 ++++++++++++++++++
 common-service-core/build.gradle              |   3 +
 .../security}/FixedHeadersConfigurer.java     |   4 +-
 .../config/AbstractWebSecurityConfigurer.java |   5 +-
 .../acceptance/ResponseHeaderFixTest.java     | 117 ++++++++++++++++
 .../config/NewSecurityConfiguration.java      |   1 +
 .../acceptance/ResponseHeaderFixTest.java     |  26 ++--
 .../security/SpringSecurityConfiguration.java |   3 +-
 .../acceptance/ResponseHeaderFixTest.java     | 117 ++++++++++++++++
 13 files changed, 519 insertions(+), 35 deletions(-)
 create mode 100644 api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
 create mode 100644 caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
 rename {gateway-service/src/main/java/org/zowe/apiml/gateway/security/config => common-service-core/src/main/java/org/zowe/apiml/security}/FixedHeadersConfigurer.java (98%)
 create mode 100644 discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
 create mode 100644 metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java

diff --git a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java
index 56fda93a00..987688c95f 100644
--- a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java
+++ b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java
@@ -35,6 +35,7 @@
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.zowe.apiml.filter.AttlsFilter;
 import org.zowe.apiml.filter.SecureConnectionFilter;
+import org.zowe.apiml.security.FixedHeadersConfigurer;
 import org.zowe.apiml.security.client.EnableApimlAuth;
 import org.zowe.apiml.security.client.login.GatewayLoginProvider;
 import org.zowe.apiml.security.client.token.GatewayTokenProvider;
@@ -197,7 +198,7 @@ SecurityFilterChain basicAuthOrTokenAllEndpointsFilterChain(HttpSecurity http, L
     }
 
     private HttpSecurity baseConfiguration(HttpSecurity http) throws Exception {
-        http
+        return FixedHeadersConfigurer.fix(http
                 .csrf(csrf -> csrf.disable())   // NOSONAR
                 .headers(headers -> headers
                         .httpStrictTransportSecurity().disable()
@@ -217,9 +218,8 @@ private HttpSecurity baseConfiguration(HttpSecurity http) throws Exception {
                                 handlerInitializer.getUnAuthorizedHandler(), new AntPathRequestMatcher("/**")
                         ))
                 .sessionManagement(management -> management
-                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS));
-
-        return http;
+                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+        );
     }
 
     @Bean
diff --git a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/standalone/StandaloneSecurityConfig.java b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/standalone/StandaloneSecurityConfig.java
index 34b39a2373..a2c517f5b4 100644
--- a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/standalone/StandaloneSecurityConfig.java
+++ b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/standalone/StandaloneSecurityConfig.java
@@ -11,8 +11,7 @@
 package org.zowe.apiml.apicatalog.standalone;
 
 
-import javax.annotation.PostConstruct;
-
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -20,9 +19,10 @@
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
+import org.zowe.apiml.security.FixedHeadersConfigurer;
 import org.zowe.apiml.product.constants.CoreService;
 
-import lombok.extern.slf4j.Slf4j;
+import javax.annotation.PostConstruct;
 
 @Configuration
 @ConditionalOnProperty(value = "apiml.catalog.standalone.enabled", havingValue = "true")
@@ -37,15 +37,15 @@ void init() {
     @Bean
     @Order(Ordered.HIGHEST_PRECEDENCE)
     public SecurityFilterChain permitAll(HttpSecurity http) throws Exception {
-        return http
-            .csrf().disable()   // NOSONAR
-            .headers().httpStrictTransportSecurity().disable()
-            .frameOptions().disable().and()
-
-            .authorizeRequests()
-            .anyRequest().permitAll()
-            .and()
-            .build();
+        return FixedHeadersConfigurer.fix(http
+                .csrf().disable()   // NOSONAR
+                .headers().httpStrictTransportSecurity().disable()
+                .frameOptions().disable().and()
+
+                .authorizeRequests()
+                .anyRequest().permitAll()
+                .and()
+            ).build();
     }
 
 }
diff --git a/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java b/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
new file mode 100644
index 0000000000..8b7949f74c
--- /dev/null
+++ b/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
@@ -0,0 +1,111 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.apicatalog.acceptance;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.server.LocalServerPort;
+import org.springframework.context.annotation.Profile;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RestController;
+import org.zowe.apiml.apicatalog.ApiCatalogApplication;
+
+import javax.servlet.http.HttpServletResponse;
+
+import static io.restassured.RestAssured.given;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+
+@SpringBootTest(
+    classes = {
+        ApiCatalogApplication.class,
+        ResponseHeaderFixTest.TestController.class
+    },
+    webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT
+)
+@ActiveProfiles("ResponseHeaderFixTest")
+public class ResponseHeaderFixTest {
+
+    private static final int TEST_CONTENT_LENGTH = 101;
+    private static final String CONTENT_LENGTH = "Content-Length";
+
+    @LocalServerPort
+    protected int port;
+
+    @ParameterizedTest(name = "Test handling setting context-type using {1}")
+    @CsvSource({
+        "0,addHeader<String String>",
+        "1,setHeader<String String>",
+        "2,setIntHeader<String int>",
+        "3,addIntHeader<String int>"
+    })
+    void givenRequest_whenSetContentLength_thenIsPropagated(int method, String description) {
+        given()
+            .relaxedHTTPSValidation()
+        .when()
+            .get(String.format("https://localhost:%d/apicatalog/test/%d/%s", port, method, CONTENT_LENGTH))
+        .then()
+            .statusCode(SC_OK)
+            .header(CONTENT_LENGTH, String.valueOf(TEST_CONTENT_LENGTH))
+            .header("X-XSS-Protection", is(notNullValue()));
+    }
+
+    @ParameterizedTest(name = "Test handling headers without content-type using {1}")
+    @CsvSource({
+        "0,addHeader<String String>",
+        "1,setHeader<String String>",
+        "2,setIntHeader<String int>",
+        "3,addIntHeader<String int>"
+    })
+    void givenRequest_whenDontSetContentLength_thenIsMissing(int method, String description) {
+        given()
+            .relaxedHTTPSValidation()
+        .when()
+            .get(String.format("https://localhost:%d/apicatalog/test/%d/%s", port, method, "otherHeaderName"))
+        .then()
+            .statusCode(SC_OK)
+            .header(CONTENT_LENGTH,"0")
+            .header("X-XSS-Protection", is(notNullValue()));
+    }
+
+    @RestController
+    @Profile("ResponseHeaderFixTest")
+    static class TestController {
+
+        @GetMapping(value = "/test/{method}/{headerName}")
+        public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerName") String headerName, HttpServletResponse response) {
+            switch(method) {
+                case 0:
+                    response.addHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
+                    break;
+                case 1:
+                    response.setHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
+                    break;
+                case 2:
+                    response.setIntHeader(headerName, TEST_CONTENT_LENGTH);
+                    break;
+                case 3:
+                    response.addIntHeader(headerName, TEST_CONTENT_LENGTH);
+                    break;
+                default:
+                    throw new IllegalArgumentException("Unknown method: " + method);
+            }
+
+        }
+
+    }
+
+}
+
diff --git a/caching-service/src/main/java/org/zowe/apiml/caching/config/SpringSecurityConfig.java b/caching-service/src/main/java/org/zowe/apiml/caching/config/SpringSecurityConfig.java
index 6a6aa6cb47..08aba1c0e4 100644
--- a/caching-service/src/main/java/org/zowe/apiml/caching/config/SpringSecurityConfig.java
+++ b/caching-service/src/main/java/org/zowe/apiml/caching/config/SpringSecurityConfig.java
@@ -23,6 +23,7 @@
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.zowe.apiml.filter.AttlsFilter;
 import org.zowe.apiml.filter.SecureConnectionFilter;
+import org.zowe.apiml.security.FixedHeadersConfigurer;
 
 import java.util.Collections;
 
@@ -75,7 +76,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
             http.authorizeRequests(requests -> requests.anyRequest().permitAll());
         }
 
-        return http.build();
+        return FixedHeadersConfigurer.fix(http).build();
     }
 
     private UserDetailsService x509UserDetailsService() {
diff --git a/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java b/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
new file mode 100644
index 0000000000..4ec54e315f
--- /dev/null
+++ b/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
@@ -0,0 +1,132 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.caching.acceptance;
+
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.TestInstance;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.server.LocalServerPort;
+import org.springframework.context.annotation.Profile;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RestController;
+import org.zowe.apiml.caching.CachingService;
+import org.zowe.apiml.util.config.SslContext;
+import org.zowe.apiml.util.config.SslContextConfigurer;
+
+import javax.servlet.http.HttpServletResponse;
+
+import static io.restassured.RestAssured.given;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+
+@SpringBootTest(
+    classes = {
+        CachingService.class,
+        ResponseHeaderFixTest.TestController.class
+    },
+    webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT
+)
+@ActiveProfiles("ResponseHeaderFixTest")
+@TestInstance(TestInstance.Lifecycle. PER_CLASS)
+public class ResponseHeaderFixTest {
+
+    private static final int TEST_CONTENT_LENGTH = 101;
+    private static final String CONTENT_LENGTH = "Content-Length";
+
+    @LocalServerPort
+    protected int port;
+
+    @Value("${server.ssl.keyPassword}")
+    private char[] password;
+    @Value("${server.ssl.keyStore}")
+    private String client_cert_keystore;
+    @Value("${server.ssl.keyStore}")
+    private String keystore;
+
+    @BeforeAll
+    void setup() throws Exception {
+        SslContextConfigurer configurer = new SslContextConfigurer(password, client_cert_keystore, keystore);
+        SslContext.prepareSslAuthentication(configurer);
+    }
+
+    @ParameterizedTest(name = "Test handling setting context-type using {1}")
+    @CsvSource({
+        "0,addHeader<String String>",
+        "1,setHeader<String String>",
+        "2,setIntHeader<String int>",
+        "3,addIntHeader<String int>"
+    })
+    void givenRequest_whenSetContentLength_thenIsPropagated(int method, String description) {
+        given()
+            .config(SslContext.clientCertApiml)
+        .when()
+            .get(String.format("https://localhost:%d/test/%d/%s", port, method, CONTENT_LENGTH))
+        .then()
+            .statusCode(SC_OK)
+            .header(CONTENT_LENGTH, String.valueOf(TEST_CONTENT_LENGTH))
+            .header("X-Frame-Options", is(notNullValue()))
+            .header("X-XSS-Protection", is(notNullValue()));
+    }
+
+    @ParameterizedTest(name = "Test handling headers without content-type using {1}")
+    @CsvSource({
+        "0,addHeader<String String>",
+        "1,setHeader<String String>",
+        "2,setIntHeader<String int>",
+        "3,addIntHeader<String int>"
+    })
+    void givenRequest_whenDontSetContentLength_thenIsMissing(int method, String description) {
+        given()
+            .config(SslContext.clientCertApiml)
+        .when()
+            .get(String.format("https://localhost:%d/test/%d/%s", port, method, "otherHeaderName"))
+        .then()
+            .statusCode(SC_OK)
+            .header(CONTENT_LENGTH,"0")
+            .header("X-Frame-Options", is(notNullValue()))
+            .header("X-XSS-Protection", is(notNullValue()));
+    }
+
+    @RestController
+    @Profile("ResponseHeaderFixTest")
+    static class TestController {
+
+        @GetMapping(value = "/test/{method}/{headerName}")
+        public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerName") String headerName, HttpServletResponse response) {
+            switch(method) {
+                case 0:
+                    response.addHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
+                    break;
+                case 1:
+                    response.setHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
+                    break;
+                case 2:
+                    response.setIntHeader(headerName, TEST_CONTENT_LENGTH);
+                    break;
+                case 3:
+                    response.addIntHeader(headerName, TEST_CONTENT_LENGTH);
+                    break;
+                default:
+                    throw new IllegalArgumentException("Unknown method: " + method);
+            }
+
+        }
+
+    }
+
+}
+
diff --git a/common-service-core/build.gradle b/common-service-core/build.gradle
index d672d315b9..45be0f4fe8 100644
--- a/common-service-core/build.gradle
+++ b/common-service-core/build.gradle
@@ -26,6 +26,9 @@ dependencies {
     compileOnly libs.eh.cache
     testImplementation libs.eh.cache
 
+    compileOnly libs.spring.security.config
+    compileOnly libs.spring.security.web
+
     implementation libs.spring.boot.starter.cache
     testImplementation libs.spring.boot.starter.cache
     implementation libs.spring.web
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/FixedHeadersConfigurer.java b/common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java
similarity index 98%
rename from gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/FixedHeadersConfigurer.java
rename to common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java
index 05871d4dec..4fb96e1b2c 100644
--- a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/FixedHeadersConfigurer.java
+++ b/common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java
@@ -8,7 +8,7 @@
  * Copyright Contributors to the Zowe Project.
  */
 
-package org.zowe.apiml.gateway.security.config;
+package org.zowe.apiml.security;
 
 import lombok.RequiredArgsConstructor;
 import lombok.experimental.Delegate;
@@ -29,7 +29,7 @@
 import java.util.List;
 
 @RequiredArgsConstructor
-class FixedHeadersConfigurer<H extends HttpSecurityBuilder<H>> extends HeadersConfigurer<H> {
+public class FixedHeadersConfigurer<H extends HttpSecurityBuilder<H>> extends HeadersConfigurer<H> {
 
     @Delegate(excludes = Configure.class)
     protected final HeadersConfigurer<H> original;
diff --git a/discovery-service/src/main/java/org/zowe/apiml/discovery/config/AbstractWebSecurityConfigurer.java b/discovery-service/src/main/java/org/zowe/apiml/discovery/config/AbstractWebSecurityConfigurer.java
index bbc87cc9b0..3da1d8e4d6 100644
--- a/discovery-service/src/main/java/org/zowe/apiml/discovery/config/AbstractWebSecurityConfigurer.java
+++ b/discovery-service/src/main/java/org/zowe/apiml/discovery/config/AbstractWebSecurityConfigurer.java
@@ -12,13 +12,14 @@
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.zowe.apiml.security.FixedHeadersConfigurer;
 
 public abstract class AbstractWebSecurityConfigurer {
 
     protected HttpSecurity baseConfigure(HttpSecurity http) throws Exception {
-        return http.csrf().disable()    // NOSONAR
+        return FixedHeadersConfigurer.fix(http.csrf().disable()    // NOSONAR
             .headers().httpStrictTransportSecurity().disable()
             .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-            .and();
+            .and());
     }
 }
diff --git a/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java b/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
new file mode 100644
index 0000000000..1f9aa981cf
--- /dev/null
+++ b/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
@@ -0,0 +1,117 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.discovery.acceptance;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.server.LocalServerPort;
+import org.springframework.context.annotation.Profile;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RestController;
+import org.zowe.apiml.discovery.DiscoveryServiceApplication;
+
+import javax.servlet.http.HttpServletResponse;
+
+import static io.restassured.RestAssured.given;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+
+@SpringBootTest(
+    classes = {
+        DiscoveryServiceApplication.class,
+        ResponseHeaderFixTest.TestController.class
+    },
+    webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT
+)
+@ActiveProfiles("ResponseHeaderFixTest")
+public class ResponseHeaderFixTest {
+
+    private static final int TEST_CONTENT_LENGTH = 101;
+    private static final String CONTENT_LENGTH = "Content-Length";
+
+    @LocalServerPort
+    protected int port;
+
+    @ParameterizedTest(name = "Test handling setting context-type using {1}")
+    @CsvSource({
+        "0,addHeader<String String>",
+        "1,setHeader<String String>",
+        "2,setIntHeader<String int>",
+        "3,addIntHeader<String int>"
+    })
+    void givenRequest_whenSetContentLength_thenIsPropagated(int method, String description) {
+        given()
+            .relaxedHTTPSValidation()
+            .auth().preemptive().basic("eureka", "password")
+        .when()
+            .get(String.format("http://localhost:%d/test/%d/%s", port, method, CONTENT_LENGTH))
+        .then()
+            .statusCode(SC_OK)
+            .header(CONTENT_LENGTH, String.valueOf(TEST_CONTENT_LENGTH))
+            .header("X-Frame-Options", is(notNullValue()))
+            .header("Cache-Control", is(notNullValue()))
+            .header("X-XSS-Protection", is(notNullValue()));
+    }
+
+    @ParameterizedTest(name = "Test handling headers without content-type using {1}")
+    @CsvSource({
+        "0,addHeader<String String>",
+        "1,setHeader<String String>",
+        "2,setIntHeader<String int>",
+        "3,addIntHeader<String int>"
+    })
+    void givenRequest_whenDontSetContentLength_thenIsMissing(int method, String description) {
+        given()
+            .relaxedHTTPSValidation()
+            .auth().preemptive().basic("eureka", "password")
+        .when()
+            .get(String.format("http://localhost:%d/test/%d/%s", port, method, "otherHeaderName"))
+        .then()
+            .statusCode(SC_OK)
+            .header(CONTENT_LENGTH,"0")
+            .header("X-Frame-Options", is(notNullValue()))
+            .header("Cache-Control", is(notNullValue()))
+            .header("X-XSS-Protection", is(notNullValue()));
+    }
+
+    @RestController
+    @Profile("ResponseHeaderFixTest")
+    static class TestController {
+
+        @GetMapping(value = "/test/{method}/{headerName}")
+        public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerName") String headerName, HttpServletResponse response) {
+            switch(method) {
+                case 0:
+                    response.addHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
+                    break;
+                case 1:
+                    response.setHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
+                    break;
+                case 2:
+                    response.setIntHeader(headerName, TEST_CONTENT_LENGTH);
+                    break;
+                case 3:
+                    response.addIntHeader(headerName, TEST_CONTENT_LENGTH);
+                    break;
+                default:
+                    throw new IllegalArgumentException("Unknown method: " + method);
+            }
+
+        }
+
+    }
+
+}
+
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java
index f2174e58a3..e6530a9d34 100644
--- a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java
+++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java
@@ -57,6 +57,7 @@
 import org.zowe.apiml.gateway.security.ticket.SuccessfulTicketHandler;
 import org.zowe.apiml.gateway.services.ServicesInfoController;
 import org.zowe.apiml.gateway.zaas.ZaasAuthenticationFilter;
+import org.zowe.apiml.security.FixedHeadersConfigurer;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.config.CertificateAuthenticationProvider;
 import org.zowe.apiml.security.common.config.HandlerInitializer;
diff --git a/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java b/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
index fbcadaa602..e6828343d9 100644
--- a/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
+++ b/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
@@ -39,36 +39,36 @@
 public class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;
-    private static final String CONTENT_LENGHT = "Content-Length";
+    private static final String CONTENT_LENGTH = "Content-Length";
 
     @LocalServerPort
     protected int port;
 
     @ParameterizedTest(name = "Test handling setting context-type using {1}")
     @CsvSource({
-        "0,addHeader(String name, String value)",
-        "1,setHeader(String name, String value)",
-        "2,setIntHeader(String name, int value)",
-        "3,addIntHeader(String name, int value)"
+        "0,addHeader<String String>",
+        "1,setHeader<String String>",
+        "2,setIntHeader<String int>",
+        "3,addIntHeader<String int>"
     })
     void givenRequest_whenSetContentLength_thenIsPropagated(int method, String description) {
         given()
             .relaxedHTTPSValidation()
         .when()
-            .get(String.format("https://localhost:%d/test/%d/%s", port, method, CONTENT_LENGHT))
+            .get(String.format("https://localhost:%d/test/%d/%s", port, method, CONTENT_LENGTH))
         .then()
             .statusCode(SC_OK)
-            .header(CONTENT_LENGHT, String.valueOf(TEST_CONTENT_LENGTH))
+            .header(CONTENT_LENGTH, String.valueOf(TEST_CONTENT_LENGTH))
             .header("Strict-Transport-Security", is(notNullValue()))
             .header("X-XSS-Protection", is(notNullValue()));
     }
 
     @ParameterizedTest(name = "Test handling headers without content-type using {1}")
     @CsvSource({
-        "0,addHeader(String name, String value)",
-        "1,setHeader(String name, String value)",
-        "2,setIntHeader(String name, int value)",
-        "3,addIntHeader(String name, int value)"
+        "0,addHeader<String String>",
+        "1,setHeader<String String>",
+        "2,setIntHeader<String int>",
+        "3,addIntHeader<String int>"
     })
     void givenRequest_whenDontSetContentLength_thenIsMissing(int method, String description) {
         given()
@@ -77,7 +77,7 @@ void givenRequest_whenDontSetContentLength_thenIsMissing(int method, String desc
             .get(String.format("https://localhost:%d/test/%d/%s", port, method, "otherHeaderName"))
         .then()
             .statusCode(SC_OK)
-            .header(CONTENT_LENGHT,"0")
+            .header(CONTENT_LENGTH,"0")
             .header("Strict-Transport-Security", is(notNullValue()))
             .header("X-XSS-Protection", is(notNullValue()));
     }
@@ -102,7 +102,7 @@ public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerN
                     response.addIntHeader(headerName, TEST_CONTENT_LENGTH);
                     break;
                 default:
-                    throw new IllegalArgumentException("Uknown method: " + method);
+                    throw new IllegalArgumentException("Unknown method: " + method);
             }
 
         }
diff --git a/metrics-service/src/main/java/org/zowe/apiml/metrics/security/SpringSecurityConfiguration.java b/metrics-service/src/main/java/org/zowe/apiml/metrics/security/SpringSecurityConfiguration.java
index ca47fcf808..1f081f1efb 100644
--- a/metrics-service/src/main/java/org/zowe/apiml/metrics/security/SpringSecurityConfiguration.java
+++ b/metrics-service/src/main/java/org/zowe/apiml/metrics/security/SpringSecurityConfiguration.java
@@ -26,6 +26,7 @@
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.zowe.apiml.security.FixedHeadersConfigurer;
 import org.zowe.apiml.security.client.EnableApimlAuth;
 import org.zowe.apiml.security.client.login.GatewayLoginProvider;
 import org.zowe.apiml.security.client.token.GatewayTokenProvider;
@@ -111,7 +112,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
             .antMatchers("/application/health", "/application/info").permitAll()
             .and().apply(new CustomSecurityFilters());
 
-        return http.build();
+        return FixedHeadersConfigurer.fix(http).build();
     }
 
     private class CustomSecurityFilters extends AbstractHttpConfigurer<CustomSecurityFilters, HttpSecurity> {
diff --git a/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java b/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
new file mode 100644
index 0000000000..463a2497a3
--- /dev/null
+++ b/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
@@ -0,0 +1,117 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.metrics.acceptance;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.server.LocalServerPort;
+import org.springframework.context.annotation.Profile;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RestController;
+import org.zowe.apiml.metrics.MetricsServiceApplication;
+
+import javax.servlet.http.HttpServletResponse;
+
+import static io.restassured.RestAssured.given;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+
+@SpringBootTest(
+    classes = {
+        MetricsServiceApplication.class,
+        ResponseHeaderFixTest.TestController.class
+    },
+    webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
+    properties = {
+        "server.ssl.keyStore=../keystore/localhost/localhost.keystore.p12",
+        "server.ssl.trustStore=../keystore/localhost/localhost.truststore.p12"
+    }
+)
+@ActiveProfiles("ResponseHeaderFixTest")
+public class ResponseHeaderFixTest {
+
+    private static final int TEST_CONTENT_LENGTH = 101;
+    private static final String CONTENT_LENGTH = "Content-Length";
+
+    @LocalServerPort
+    protected int port;
+
+    @ParameterizedTest(name = "Test handling setting context-type using {1}")
+    @CsvSource({
+        "0,addHeader<String String>",
+        "1,setHeader<String String>",
+        "2,setIntHeader<String int>",
+        "3,addIntHeader<String int>"
+    })
+    void givenRequest_whenSetContentLength_thenIsPropagated(int method, String description) {
+        given()
+            .relaxedHTTPSValidation()
+        .when()
+            .get(String.format("https://localhost:%d/metrics-service/test/%d/%s", port, method, CONTENT_LENGTH))
+        .then()
+            .statusCode(SC_OK)
+            .header(CONTENT_LENGTH, String.valueOf(TEST_CONTENT_LENGTH))
+            .header("Cache-Control", is(notNullValue()))
+            .header("X-XSS-Protection", is(notNullValue()));
+    }
+
+    @ParameterizedTest(name = "Test handling headers without content-type using {1}")
+    @CsvSource({
+        "0,addHeader<String String>",
+        "1,setHeader<String String>",
+        "2,setIntHeader<String int>",
+        "3,addIntHeader<String int>"
+    })
+    void givenRequest_whenDontSetContentLength_thenIsMissing(int method, String description) {
+        given()
+            .relaxedHTTPSValidation()
+        .when()
+            .get(String.format("https://localhost:%d/metrics-service/test/%d/%s", port, method, "otherHeaderName"))
+        .then()
+            .statusCode(SC_OK)
+            .header(CONTENT_LENGTH,"0")
+            .header("Cache-Control", is(notNullValue()))
+            .header("X-XSS-Protection", is(notNullValue()));
+    }
+
+    @RestController
+    @Profile("ResponseHeaderFixTest")
+    static class TestController {
+
+        @GetMapping(value = "/test/{method}/{headerName}")
+        public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerName") String headerName, HttpServletResponse response) {
+            switch(method) {
+                case 0:
+                    response.addHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
+                    break;
+                case 1:
+                    response.setHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
+                    break;
+                case 2:
+                    response.setIntHeader(headerName, TEST_CONTENT_LENGTH);
+                    break;
+                case 3:
+                    response.addIntHeader(headerName, TEST_CONTENT_LENGTH);
+                    break;
+                default:
+                    throw new IllegalArgumentException("Unknown method: " + method);
+            }
+
+        }
+
+    }
+
+}
+

From 623ac7e4b7f325a811f812eaa52ef83648fa0972 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Jare=C5=A1?= <Pavel.Jares@broadcom.com>
Date: Tue, 24 Mar 2026 18:05:38 +0100
Subject: [PATCH 4/9] fix checkstyle issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pavel Jareš <Pavel.Jares@broadcom.com>
---
 .../zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java | 2 +-
 .../zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java    | 2 +-
 .../zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java  | 2 +-
 .../java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java   | 2 +-
 .../zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java    | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java b/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
index 8b7949f74c..f3b62c9705 100644
--- a/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
+++ b/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
@@ -86,7 +86,7 @@ static class TestController {
 
         @GetMapping(value = "/test/{method}/{headerName}")
         public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerName") String headerName, HttpServletResponse response) {
-            switch(method) {
+            switch (method) {
                 case 0:
                     response.addHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
                     break;
diff --git a/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java b/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
index 4ec54e315f..47c40d7569 100644
--- a/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
+++ b/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
@@ -107,7 +107,7 @@ static class TestController {
 
         @GetMapping(value = "/test/{method}/{headerName}")
         public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerName") String headerName, HttpServletResponse response) {
-            switch(method) {
+            switch (method) {
                 case 0:
                     response.addHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
                     break;
diff --git a/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java b/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
index 1f9aa981cf..2db2b60a74 100644
--- a/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
+++ b/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
@@ -92,7 +92,7 @@ static class TestController {
 
         @GetMapping(value = "/test/{method}/{headerName}")
         public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerName") String headerName, HttpServletResponse response) {
-            switch(method) {
+            switch (method) {
                 case 0:
                     response.addHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
                     break;
diff --git a/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java b/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
index e6828343d9..13da312347 100644
--- a/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
+++ b/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
@@ -88,7 +88,7 @@ static class TestController {
 
         @GetMapping(value = "/test/{method}/{headerName}")
         public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerName") String headerName, HttpServletResponse response) {
-            switch(method) {
+            switch (method) {
                 case 0:
                     response.addHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
                     break;
diff --git a/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java b/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
index 463a2497a3..ba0a8f4f8f 100644
--- a/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
+++ b/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
@@ -92,7 +92,7 @@ static class TestController {
 
         @GetMapping(value = "/test/{method}/{headerName}")
         public void getApiDoc(@PathVariable("method") int method, @PathVariable("headerName") String headerName, HttpServletResponse response) {
-            switch(method) {
+            switch (method) {
                 case 0:
                     response.addHeader(headerName, String.valueOf(TEST_CONTENT_LENGTH));
                     break;

From 46f6eb3ca34b0b4c708f7f6b3379cb660a4b693c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Jare=C5=A1?= <Pavel.Jares@broadcom.com>
Date: Tue, 24 Mar 2026 22:28:13 +0100
Subject: [PATCH 5/9] add @DirtiesContext
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pavel Jareš <Pavel.Jares@broadcom.com>
---
 .../apiml/apicatalog/acceptance/ResponseHeaderFixTest.java    | 2 ++
 .../zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java  | 4 +++-
 .../apiml/discovery/acceptance/ResponseHeaderFixTest.java     | 2 ++
 .../java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java | 2 ++
 .../zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java  | 2 ++
 5 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java b/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
index f3b62c9705..8d551baa67 100644
--- a/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
+++ b/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
@@ -15,6 +15,7 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.web.server.LocalServerPort;
 import org.springframework.context.annotation.Profile;
+import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -36,6 +37,7 @@
     webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT
 )
 @ActiveProfiles("ResponseHeaderFixTest")
+@DirtiesContext
 public class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;
diff --git a/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java b/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
index 47c40d7569..dc8188b5ec 100644
--- a/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
+++ b/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
@@ -18,6 +18,7 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.web.server.LocalServerPort;
 import org.springframework.context.annotation.Profile;
+import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -41,7 +42,8 @@
     webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT
 )
 @ActiveProfiles("ResponseHeaderFixTest")
-@TestInstance(TestInstance.Lifecycle. PER_CLASS)
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@DirtiesContext
 public class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;
diff --git a/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java b/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
index 2db2b60a74..980cab263e 100644
--- a/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
+++ b/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
@@ -15,6 +15,7 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.web.server.LocalServerPort;
 import org.springframework.context.annotation.Profile;
+import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -36,6 +37,7 @@
     webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT
 )
 @ActiveProfiles("ResponseHeaderFixTest")
+@DirtiesContext
 public class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;
diff --git a/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java b/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
index 13da312347..63c5fa17cd 100644
--- a/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
+++ b/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
@@ -15,6 +15,7 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.web.server.LocalServerPort;
 import org.springframework.context.annotation.Profile;
+import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -36,6 +37,7 @@
     webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT
 )
 @ActiveProfiles("ResponseHeaderFixTest")
+@DirtiesContext
 public class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;
diff --git a/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java b/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
index ba0a8f4f8f..6bf40061c4 100644
--- a/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
+++ b/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
@@ -15,6 +15,7 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.web.server.LocalServerPort;
 import org.springframework.context.annotation.Profile;
+import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -40,6 +41,7 @@
     }
 )
 @ActiveProfiles("ResponseHeaderFixTest")
+@DirtiesContext
 public class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;

From 2904316f16c6323a1bfb32d8ce7cf83e1accd1a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Jare=C5=A1?= <Pavel.Jares@broadcom.com>
Date: Wed, 25 Mar 2026 10:13:35 +0100
Subject: [PATCH 6/9] add @DirtiesContext to Metrics test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pavel Jareš <Pavel.Jares@broadcom.com>
---
 .../zowe/apiml/metrics/functional/MetricsFunctionalTest.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/metrics-service/src/test/java/org/zowe/apiml/metrics/functional/MetricsFunctionalTest.java b/metrics-service/src/test/java/org/zowe/apiml/metrics/functional/MetricsFunctionalTest.java
index e0a6f1900d..3ca365632a 100644
--- a/metrics-service/src/test/java/org/zowe/apiml/metrics/functional/MetricsFunctionalTest.java
+++ b/metrics-service/src/test/java/org/zowe/apiml/metrics/functional/MetricsFunctionalTest.java
@@ -10,17 +10,18 @@
 
 package org.zowe.apiml.metrics.functional;
 
+import io.restassured.RestAssured;
 import org.junit.jupiter.api.BeforeEach;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.web.server.LocalServerPort;
+import org.springframework.test.annotation.DirtiesContext;
 import org.zowe.apiml.metrics.MetricsServiceApplication;
 
-import io.restassured.RestAssured;
-
 @SpringBootTest(classes = MetricsServiceApplication.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, properties = {
         "server.ssl.keyStore=../keystore/localhost/localhost.keystore.p12",
         "server.ssl.trustStore=../keystore/localhost/localhost.truststore.p12" })
+@DirtiesContext
 public abstract class MetricsFunctionalTest {
     @LocalServerPort
     protected int port;

From a103dde0e6ac4c3f3b64c518ccd95a3099ff33db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Jare=C5=A1?= <Pavel.Jares@broadcom.com>
Date: Wed, 25 Mar 2026 10:35:03 +0100
Subject: [PATCH 7/9] removal of not necessary tests - replaced by acceptance
 one
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pavel Jareš <Pavel.Jares@broadcom.com>
---
 .../functional/MetricsFunctionalTest.java     | 41 -------------------
 .../functional/PrototypeFunctionalTest.java   | 22 ----------
 2 files changed, 63 deletions(-)
 delete mode 100644 metrics-service/src/test/java/org/zowe/apiml/metrics/functional/MetricsFunctionalTest.java
 delete mode 100644 metrics-service/src/test/java/org/zowe/apiml/metrics/functional/PrototypeFunctionalTest.java

diff --git a/metrics-service/src/test/java/org/zowe/apiml/metrics/functional/MetricsFunctionalTest.java b/metrics-service/src/test/java/org/zowe/apiml/metrics/functional/MetricsFunctionalTest.java
deleted file mode 100644
index 3ca365632a..0000000000
--- a/metrics-service/src/test/java/org/zowe/apiml/metrics/functional/MetricsFunctionalTest.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * This program and the accompanying materials are made available under the terms of the
- * Eclipse Public License v2.0 which accompanies this distribution, and is available at
- * https://www.eclipse.org/legal/epl-v20.html
- *
- * SPDX-License-Identifier: EPL-2.0
- *
- * Copyright Contributors to the Zowe Project.
- */
-
-package org.zowe.apiml.metrics.functional;
-
-import io.restassured.RestAssured;
-import org.junit.jupiter.api.BeforeEach;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.boot.web.server.LocalServerPort;
-import org.springframework.test.annotation.DirtiesContext;
-import org.zowe.apiml.metrics.MetricsServiceApplication;
-
-@SpringBootTest(classes = MetricsServiceApplication.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, properties = {
-        "server.ssl.keyStore=../keystore/localhost/localhost.keystore.p12",
-        "server.ssl.trustStore=../keystore/localhost/localhost.truststore.p12" })
-@DirtiesContext
-public abstract class MetricsFunctionalTest {
-    @LocalServerPort
-    protected int port;
-
-    @Value("${apiml.service.hostname:localhost}")
-    protected String hostname;
-
-    @BeforeEach
-    void setUp() {
-        RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
-    }
-
-    protected String getDiscoveryUriWithPath(String path) {
-        return String.format("https://%s:%d", hostname, port) + path;
-    }
-
-}
diff --git a/metrics-service/src/test/java/org/zowe/apiml/metrics/functional/PrototypeFunctionalTest.java b/metrics-service/src/test/java/org/zowe/apiml/metrics/functional/PrototypeFunctionalTest.java
deleted file mode 100644
index 8d2fbddb05..0000000000
--- a/metrics-service/src/test/java/org/zowe/apiml/metrics/functional/PrototypeFunctionalTest.java
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * This program and the accompanying materials are made available under the terms of the
- * Eclipse Public License v2.0 which accompanies this distribution, and is available at
- * https://www.eclipse.org/legal/epl-v20.html
- *
- * SPDX-License-Identifier: EPL-2.0
- *
- * Copyright Contributors to the Zowe Project.
- */
-
-package org.zowe.apiml.metrics.functional;
-
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-import org.junit.jupiter.api.Test;
-
-class PrototypeFunctionalTest extends MetricsFunctionalTest {
-    @Test
-    void testContextStarts() {
-        assertTrue(true);
-    }
-}

From 0283187897ee3d285ae77794d04778eeb4d79a86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Jare=C5=A1?= <Pavel.Jares@broadcom.com>
Date: Thu, 26 Mar 2026 10:27:10 +0100
Subject: [PATCH 8/9] fix sonar issue by renaming of copied private methods
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pavel Jareš <Pavel.Jares@broadcom.com>
---
 .../apiml/security/FixedHeadersConfigurer.java | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java b/common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java
index 4fb96e1b2c..552b22104a 100644
--- a/common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java
+++ b/common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java
@@ -46,11 +46,11 @@ public static HttpSecurity fix(HttpSecurity httpSecurity) throws Exception {
 
     @Override
     public void configure(H http) {
-        HeaderWriterFilter headersFilter = createHeaderWriterFilter();
+        HeaderWriterFilter headersFilter = createHeaderWriterFilterFixed();
         http.addFilter(headersFilter);
     }
 
-    private HeaderWriterFilter createHeaderWriterFilter() {
+    private HeaderWriterFilter createHeaderWriterFilterFixed() {
         List<HeaderWriter> writers;
         try {
             Method getHeaderWriters = HeadersConfigurer.class.getDeclaredMethod("getHeaderWriters");
@@ -135,20 +135,20 @@ public FixedHeaderWriterFilter(List<HeaderWriter> headerWriters) {
         protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
             throws ServletException, IOException {
             if (this.shouldWriteHeadersEagerly) {
-                doHeadersBefore(request, response, filterChain);
+                doHeadersBeforeCopy(request, response, filterChain);
             }
             else {
-                doHeadersAfter(request, response, filterChain);
+                doHeadersAfterFixed(request, response, filterChain);
             }
         }
 
-        private void doHeadersBefore(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+        private void doHeadersBeforeCopy(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
             throws IOException, ServletException {
-            writeHeaders(request, response);
+            writeHeadersCopy(request, response);
             filterChain.doFilter(request, response);
         }
 
-        private void doHeadersAfter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+        private void doHeadersAfterFixed(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
             throws IOException, ServletException {
             FixedHeaderWriterResponse headerWriterResponse = new FixedHeaderWriterResponse(request, response);
             FixedHeaderWriterRequest headerWriterRequest = new FixedHeaderWriterRequest(request, headerWriterResponse);
@@ -160,7 +160,7 @@ private void doHeadersAfter(HttpServletRequest request, HttpServletResponse resp
             }
         }
 
-        void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
+        void writeHeadersCopy(HttpServletRequest request, HttpServletResponse response) {
             for (HeaderWriter writer : this.headerWriters) {
                 writer.writeHeaders(request, response);
             }
@@ -185,7 +185,7 @@ protected void writeHeaders() {
                 if (isDisableOnResponseCommitted()) {
                     return;
                 }
-                FixedHeaderWriterFilter.this.writeHeaders(this.request, getHttpResponse());
+                FixedHeaderWriterFilter.this.writeHeadersCopy(this.request, getHttpResponse());
             }
 
             private HttpServletResponse getHttpResponse() {

From 3539058c699a0def914f01d14e87e0237bc263f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Jare=C5=A1?= <Pavel.Jares@broadcom.com>
Date: Thu, 26 Mar 2026 14:45:31 +0100
Subject: [PATCH 9/9] sonar issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pavel Jareš <Pavel.Jares@broadcom.com>
---
 .../apicatalog/acceptance/ResponseHeaderFixTest.java   |  2 +-
 .../caching/acceptance/ResponseHeaderFixTest.java      |  6 +++---
 .../zowe/apiml/security/FixedHeadersConfigurer.java    | 10 +++++-----
 .../discovery/acceptance/ResponseHeaderFixTest.java    |  2 +-
 .../zowe/apiml/acceptance/ResponseHeaderFixTest.java   |  2 +-
 .../metrics/acceptance/ResponseHeaderFixTest.java      |  2 +-
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java b/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
index 8d551baa67..f5c8fc8580 100644
--- a/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
+++ b/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/acceptance/ResponseHeaderFixTest.java
@@ -38,7 +38,7 @@
 )
 @ActiveProfiles("ResponseHeaderFixTest")
 @DirtiesContext
-public class ResponseHeaderFixTest {
+class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;
     private static final String CONTENT_LENGTH = "Content-Length";
diff --git a/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java b/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
index dc8188b5ec..b3da0b768e 100644
--- a/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
+++ b/caching-service/src/test/java/org/zowe/apiml/caching/acceptance/ResponseHeaderFixTest.java
@@ -44,7 +44,7 @@
 @ActiveProfiles("ResponseHeaderFixTest")
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
 @DirtiesContext
-public class ResponseHeaderFixTest {
+class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;
     private static final String CONTENT_LENGTH = "Content-Length";
@@ -55,13 +55,13 @@ public class ResponseHeaderFixTest {
     @Value("${server.ssl.keyPassword}")
     private char[] password;
     @Value("${server.ssl.keyStore}")
-    private String client_cert_keystore;
+    private String clientCertKeystore;
     @Value("${server.ssl.keyStore}")
     private String keystore;
 
     @BeforeAll
     void setup() throws Exception {
-        SslContextConfigurer configurer = new SslContextConfigurer(password, client_cert_keystore, keystore);
+        SslContextConfigurer configurer = new SslContextConfigurer(password, clientCertKeystore, keystore);
         SslContext.prepareSslAuthentication(configurer);
     }
 
diff --git a/common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java b/common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java
index 552b22104a..00a36fa078 100644
--- a/common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java
+++ b/common-service-core/src/main/java/org/zowe/apiml/security/FixedHeadersConfigurer.java
@@ -34,12 +34,12 @@ public class FixedHeadersConfigurer<H extends HttpSecurityBuilder<H>> extends He
     @Delegate(excludes = Configure.class)
     protected final HeadersConfigurer<H> original;
 
-    public static HttpSecurity fix(HttpSecurity httpSecurity) throws Exception {
+    public static <T extends HttpSecurityBuilder<T>> HttpSecurity fix(HttpSecurity httpSecurity) throws Exception {
         // remove the invalid configured
-        HeadersConfigurer originalConfigurer = httpSecurity.removeConfigurer(HeadersConfigurer.class);
+        HeadersConfigurer<T> originalConfigurer = httpSecurity.removeConfigurer(HeadersConfigurer.class);
 
         // add back the fixed version
-        httpSecurity.apply(new FixedHeadersConfigurer(originalConfigurer));
+        httpSecurity.<FixedHeadersConfigurer>apply(new FixedHeadersConfigurer<>(originalConfigurer));
 
         return httpSecurity;
     }
@@ -76,9 +76,9 @@ interface Configure<H extends HttpSecurityBuilder<H>> {
 
     }
 
-    static abstract class FixedOnCommittedResponseWrapper extends OnCommittedResponseWrapper {
+    abstract static class FixedOnCommittedResponseWrapper extends OnCommittedResponseWrapper {
 
-        public FixedOnCommittedResponseWrapper(HttpServletResponse response) {
+        FixedOnCommittedResponseWrapper(HttpServletResponse response) {
             super(response);
         }
 
diff --git a/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java b/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
index 980cab263e..d559c747f4 100644
--- a/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
+++ b/discovery-service/src/test/java/org/zowe/apiml/discovery/acceptance/ResponseHeaderFixTest.java
@@ -38,7 +38,7 @@
 )
 @ActiveProfiles("ResponseHeaderFixTest")
 @DirtiesContext
-public class ResponseHeaderFixTest {
+class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;
     private static final String CONTENT_LENGTH = "Content-Length";
diff --git a/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java b/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
index 63c5fa17cd..878e1d2e80 100644
--- a/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
+++ b/gateway-service/src/test/java/org/zowe/apiml/acceptance/ResponseHeaderFixTest.java
@@ -38,7 +38,7 @@
 )
 @ActiveProfiles("ResponseHeaderFixTest")
 @DirtiesContext
-public class ResponseHeaderFixTest {
+class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;
     private static final String CONTENT_LENGTH = "Content-Length";
diff --git a/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java b/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
index 6bf40061c4..350066cbf3 100644
--- a/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
+++ b/metrics-service/src/test/java/org/zowe/apiml/metrics/acceptance/ResponseHeaderFixTest.java
@@ -42,7 +42,7 @@
 )
 @ActiveProfiles("ResponseHeaderFixTest")
 @DirtiesContext
-public class ResponseHeaderFixTest {
+class ResponseHeaderFixTest {
 
     private static final int TEST_CONTENT_LENGTH = 101;
     private static final String CONTENT_LENGTH = "Content-Length";