In the response body processing code flow, when the ngx_http_modsecurity_load_headers_out function from modsecurity_body_fitler, modsecurity builds the header from the data member
r->headers_out.headers.part. This will include headers that nginx knows e.g. Content-Encoding, Content-Length.
These headers are also recorded in r->headers_out.content_encoding and similar for content_length and content_type.
Any body filter that is executed before modsecurity may modify the r->headers_out.content_encoding header but NOT r->headers_out.headers.part .eg. if gunzip filter is executed before modsecurity.

This will mean that modsecurity will read the header as they were in the response and NOT as they have been modified(assuming other body filter executed prior to it) just before modsecurity was invoked.

Does the reading of headers_out.headers_part of headers that can potentially be modified by other body filters intentional?