diff --git a/pkg/acquisition/modules/appsec/appsec.go b/pkg/acquisition/modules/appsec/appsec.go
index def6a6886..54e0da446 100644
--- a/pkg/acquisition/modules/appsec/appsec.go
+++ b/pkg/acquisition/modules/appsec/appsec.go
@@ -353,14 +353,18 @@ func (w *AppsecSource) appsecHandler(rw http.ResponseWriter, r *http.Request) {
 	w.InChan <- parsedRequest
 
 	response := <-parsedRequest.ResponseChannel
+	statusCode := http.StatusOK
+
 	if response.InBandInterrupt {
+		statusCode = http.StatusForbidden
 		AppsecBlockCounter.With(prometheus.Labels{"source": parsedRequest.RemoteAddrNormalized, "appsec_engine": parsedRequest.AppsecEngine}).Inc()
 	}
 
 	appsecResponse := w.AppsecRuntime.GenerateResponse(response, logger)
 	logger.Debugf("Response: %+v", appsecResponse)
-	rw.WriteHeader(appsecResponse.HTTPStatus)
-	body, err := json.Marshal(BodyResponse{Action: appsecResponse.Action})
+
+	rw.WriteHeader(statusCode)
+	body, err := json.Marshal(appsecResponse)
 	if err != nil {
 		logger.Errorf("unable to marshal response: %s", err)
 		rw.WriteHeader(http.StatusInternalServerError)
diff --git a/pkg/acquisition/modules/appsec/appsec_runner.go b/pkg/acquisition/modules/appsec/appsec_runner.go
index 5c72974c1..fa907fe42 100644
--- a/pkg/acquisition/modules/appsec/appsec_runner.go
+++ b/pkg/acquisition/modules/appsec/appsec_runner.go
@@ -119,6 +119,11 @@ func (r *AppsecRunner) processRequest(tx appsec.ExtendedTransaction, request *ap
 	defer func() {
 		request.Tx.ProcessLogging()
 		//We don't close the transaction here, as it will reset coraza internal state and break variable tracking
+
+		err := r.AppsecRuntime.ProcessPostEvalRules(request)
+		if err != nil {
+			r.logger.Errorf("unable to process PostEval rules: %s", err)
+		}
 	}()
 
 	//pre eval (expr) rules
@@ -182,11 +187,6 @@ func (r *AppsecRunner) processRequest(tx appsec.ExtendedTransaction, request *ap
 		r.logger.Debugf("rules matched for body : %d", in.RuleID)
 	}
 
-	err = r.AppsecRuntime.ProcessPostEvalRules(request)
-	if err != nil {
-		r.logger.Errorf("unable to process PostEval rules: %s", err)
-	}
-
 	return nil
 }
 
@@ -272,7 +272,7 @@ func (r *AppsecRunner) handleOutBandInterrupt(request *appsec.ParsedRequest) {
 		r.logger.Errorf("unable to accumulate tx to event : %s", err)
 	}
 	if in := request.Tx.Interruption(); in != nil {
-		r.logger.Debugf("inband rules matched : %d", in.RuleID)
+		r.logger.Debugf("outband rules matched : %d", in.RuleID)
 		r.AppsecRuntime.Response.OutOfBandInterrupt = true
 
 		err = r.AppsecRuntime.ProcessOnMatchRules(request, evt)
diff --git a/pkg/apiserver/middlewares/v1/api_key.go b/pkg/apiserver/middlewares/v1/api_key.go
index 2f5f808ca..ae7645e1b 100644
--- a/pkg/apiserver/middlewares/v1/api_key.go
+++ b/pkg/apiserver/middlewares/v1/api_key.go
@@ -174,7 +174,8 @@ func (a *APIKey) MiddlewareFunc() gin.HandlerFunc {
 			}
 		}
 
-		if bouncer.IPAddress != c.ClientIP() && bouncer.IPAddress != "" {
+		//Don't update IP on HEAD request, as it's used by the appsec to check the validity of the API key provided
+		if bouncer.IPAddress != c.ClientIP() && bouncer.IPAddress != "" && c.Request.Method != http.MethodHead {
 			log.Warningf("new IP address detected for bouncer '%s': %s (old: %s)", bouncer.Name, c.ClientIP(), bouncer.IPAddress)
 
 			if err := a.DbClient.UpdateBouncerIP(c.ClientIP(), bouncer.ID); err != nil {