diff --git a/.github/workflows/build-envoy-images-release.yaml b/.github/workflows/build-envoy-images-release.yaml
index 25f46dc03..77f9a8d61 100644
--- a/.github/workflows/build-envoy-images-release.yaml
+++ b/.github/workflows/build-envoy-images-release.yaml
@@ -79,7 +79,7 @@ jobs:
             ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest
             COPY_CACHE_EXT=.new
             BAZEL_BUILD_OPTS="--jobs=HOST_CPUS*.75"
-            BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3
+            BAZEL_TEST_OPTS=--test_timeout=600 --local_test_jobs=1 --flaky_test_attempts=3
           push: true
           tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest
 
@@ -104,7 +104,7 @@ jobs:
             BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BUILDER_DOCKER_HASH }}
             ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest
             BAZEL_BUILD_OPTS=--remote_upload_local_results=false
-            BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3
+            BAZEL_TEST_OPTS=--test_timeout=600 --local_test_jobs=1 --flaky_test_attempts=3
           cache-to: type=local,dest=/tmp/buildx-cache,mode=max
           push: true
           tags: quay.io/${{ github.repository_owner }}/cilium-envoy:latest-testlogs
diff --git a/.github/workflows/ci-tests.yaml b/.github/workflows/ci-tests.yaml
index 92d503be2..f6ad10791 100644
--- a/.github/workflows/ci-tests.yaml
+++ b/.github/workflows/ci-tests.yaml
@@ -18,23 +18,23 @@ jobs:
     name: Run unit tests for proxylib
     runs-on: ubuntu-latest
     steps:
-    - name: Install Go
-      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
-      with:
-        # renovate: datasource=golang-version depName=go
-        go-version: 1.23.4
-    - name: Checkout code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        persist-credentials: false
-    - name: Check module vendoring
-      run: |
-        go mod tidy
-        go mod vendor
-        test -z "$(git status --porcelain)" || (echo "please run 'go mod tidy && go mod vendor', and submit your changes"; exit 1)
-    - name: Run unit tests
-      run: |
-        make -C proxylib test
+      - name: Install Go
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          # renovate: datasource=golang-version depName=go
+          go-version: 1.23.4
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Check module vendoring
+        run: |
+          go mod tidy
+          go mod vendor
+          test -z "$(git status --porcelain)" || (echo "please run 'go mod tidy && go mod vendor', and submit your changes"; exit 1)
+      - name: Run unit tests
+        run: |
+          make -C proxylib test
 
   tests:
     timeout-minutes: 360
@@ -104,6 +104,6 @@ jobs:
             BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:test-${{ env.BUILDER_DOCKER_HASH }}
             ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest
             BAZEL_BUILD_OPTS=--remote_upload_local_results=false
-            BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3
+            BAZEL_TEST_OPTS=--test_timeout=600 --local_test_jobs=1 --flaky_test_attempts=3
           cache-from: type=local,src=/tmp/buildx-cache
           push: false
diff --git a/Makefile b/Makefile
index 2a5e08e79..53e83f904 100644
--- a/Makefile
+++ b/Makefile
@@ -30,7 +30,7 @@ ifdef BAZEL_REMOTE_CACHE
   BAZEL_BUILD_OPTS += --remote_cache=$(BAZEL_REMOTE_CACHE)
 endif
 
-BAZEL_TEST_OPTS ?= --jobs=HOST_RAM*.0003 --test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3
+BAZEL_TEST_OPTS ?= --jobs=HOST_RAM*.0003 --test_timeout=600 --local_test_jobs=1 --flaky_test_attempts=3
 BAZEL_TEST_OPTS += --test_output=errors
 
 BUILDARCH := $(subst aarch64,arm64,$(subst x86_64,amd64,$(shell uname -m)))
diff --git a/cilium/accesslog.cc b/cilium/accesslog.cc
index dfc86a673..2e6f9c222 100644
--- a/cilium/accesslog.cc
+++ b/cilium/accesslog.cc
@@ -1,13 +1,32 @@
 #include "accesslog.h"
 
-#include <errno.h>
 #include <stdlib.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <unistd.h>
 
+#include <chrono>
+#include <cstdint>
+#include <map>
+#include <memory>
+#include <string>
+
+#include "envoy/common/time.h"
+#include "envoy/http/header_map.h"
+#include "envoy/http/protocol.h"
+#include "envoy/network/address.h"
+#include "envoy/stream_info/stream_info.h"
+
 #include "source/common/common/lock_guard.h"
-#include "source/common/common/utility.h"
+#include "source/common/common/logger.h"
+#include "source/common/common/thread.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+#include "source/common/protobuf/utility.h"
+
+#include "absl/strings/numbers.h"
+#include "absl/strings/string_view.h"
+#include "cilium/api/accesslog.pb.h"
+#include "cilium/uds_client.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/accesslog.h b/cilium/accesslog.h
index 197f3e6f6..063f0151e 100644
--- a/cilium/accesslog.h
+++ b/cilium/accesslog.h
@@ -1,13 +1,21 @@
 #pragma once
 
+#include <cstdint>
 #include <map>
+#include <memory>
 #include <string>
 
+#include "envoy/common/time.h"
 #include "envoy/http/header_map.h"
-#include "envoy/network/connection.h"
-#include "envoy/router/router.h"
+#include "envoy/network/address.h"
+#include "envoy/stream_info/filter_state.h"
 #include "envoy/stream_info/stream_info.h"
 
+#include "source/common/common/thread.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+
+#include "absl/base/thread_annotations.h"
+#include "absl/strings/string_view.h"
 #include "cilium/api/accesslog.pb.h"
 #include "cilium/uds_client.h"
 
diff --git a/cilium/bpf.cc b/cilium/bpf.cc
index 9fd427aff..3ab5cfa3a 100644
--- a/cilium/bpf.cc
+++ b/cilium/bpf.cc
@@ -1,7 +1,14 @@
 #include "cilium/bpf.h"
 
 #include <errno.h>
+#include <unistd.h>
 
+#include <cstdint>
+#include <fstream>
+#include <sstream>
+#include <string>
+
+#include "source/common/common/logger.h"
 #include "source/common/common/utility.h"
 
 #include "cilium/privileged_service_client.h"
diff --git a/cilium/bpf.h b/cilium/bpf.h
index ea60ec762..f09b30a37 100644
--- a/cilium/bpf.h
+++ b/cilium/bpf.h
@@ -1,15 +1,9 @@
 #pragma once
 
-#include <string.h>
 #include <unistd.h>
 
 #include <cstdint>
-#include <fstream>
-#include <iostream>
-#include <map>
-#include <sstream>
 #include <string>
-#include <vector>
 
 #include "source/common/common/logger.h"
 
diff --git a/cilium/bpf_metadata.cc b/cilium/bpf_metadata.cc
index 3120c1884..ef52cb753 100644
--- a/cilium/bpf_metadata.cc
+++ b/cilium/bpf_metadata.cc
@@ -1,25 +1,48 @@
 #include "cilium/bpf_metadata.h"
 
+#include <asm-generic/socket.h>
+#include <fmt/format.h>
 #include <netinet/in.h>
 #include <netinet/tcp.h>
+#include <sys/socket.h>
 
+#include <chrono>
+#include <cstddef>
+#include <cstdint>
+#include <memory>
 #include <string>
+#include <utility>
+#include <vector>
 
 #include "envoy/api/io_error.h"
+#include "envoy/common/exception.h"
+#include "envoy/network/address.h"
+#include "envoy/network/filter.h"
 #include "envoy/network/listen_socket.h"
+#include "envoy/network/listener_filter_buffer.h"
 #include "envoy/registry/registry.h"
+#include "envoy/server/factory_context.h"
+#include "envoy/server/filter_config.h"
 #include "envoy/singleton/manager.h"
+#include "envoy/stream_info/filter_state.h"
 
-#include "source/common/common/assert.h"
-#include "source/common/common/fmt.h"
+#include "source/common/common/logger.h"
 #include "source/common/common/utility.h"
 #include "source/common/network/address_impl.h"
-#include "source/common/network/socket_option_factory.h"
 #include "source/common/network/upstream_socket_options_filter_state.h"
-
-#include "cilium/api/bpf_metadata.pb.validate.h"
+#include "source/common/network/utility.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+#include "source/common/protobuf/utility.h"
+
+#include "absl/strings/string_view.h"
+#include "cilium/api/bpf_metadata.pb.h"
+#include "cilium/api/bpf_metadata.pb.validate.h" // IWYU pragma: keep
+#include "cilium/conntrack.h"
+#include "cilium/host_map.h"
+#include "cilium/ipcache.h"
+#include "cilium/network_policy.h"
+#include "cilium/policy_id.h"
 #include "cilium/socket_option.h"
-#include "network_policy.h"
 
 namespace Envoy {
 namespace Server {
@@ -534,7 +557,7 @@ Network::FilterStatus Instance::onAccept(Network::ListenerFilterCallbacks& cb) {
 
   // Set socket options for linger and keepalive (5 minutes).
   struct ::linger lin {
-    true, 10
+    true, 10,
   };
   int keepalive = true;
   int secs = 5 * 60; // Five minutes
diff --git a/cilium/bpf_metadata.h b/cilium/bpf_metadata.h
index d2d80d180..33c6000c4 100644
--- a/cilium/bpf_metadata.h
+++ b/cilium/bpf_metadata.h
@@ -1,9 +1,16 @@
 #pragma once
 
+#include <chrono>
+#include <cstddef>
+#include <cstdint>
+#include <memory>
+#include <string>
+
 #include "envoy/api/io_error.h"
-#include "envoy/json/json_object.h"
+#include "envoy/network/address.h"
 #include "envoy/network/filter.h"
-#include "envoy/server/filter_config.h"
+#include "envoy/network/listener_filter_buffer.h"
+#include "envoy/server/factory_context.h"
 
 #include "source/common/common/logger.h"
 
diff --git a/cilium/conntrack.cc b/cilium/conntrack.cc
index 55174b485..ad4cbdb5f 100644
--- a/cilium/conntrack.cc
+++ b/cilium/conntrack.cc
@@ -1,17 +1,27 @@
 #include "conntrack.h"
 
 #include <arpa/inet.h>
+#include <netinet/in.h>
 #include <string.h>
 
 #include <cstdint>
+#include <memory>
+#include <string>
+#include <utility>
 
 #include "envoy/common/platform.h"
+#include "envoy/network/address.h"
 
+#include "source/common/common/logger.h"
 #include "source/common/common/thread.h"
 #include "source/common/common/utility.h"
-#include "source/common/network/address_impl.h"
 
+#include "absl/container/flat_hash_map.h"
+#include "absl/container/flat_hash_set.h"
+#include "absl/numeric/int128.h"
+#include "cilium/bpf.h"
 #include "linux/bpf.h"
+#include "linux/type_mapper.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/conntrack.h b/cilium/conntrack.h
index 739699b12..7b9c04d34 100644
--- a/cilium/conntrack.h
+++ b/cilium/conntrack.h
@@ -1,5 +1,7 @@
 #pragma once
 
+#include <cstddef>
+#include <cstdint>
 #include <functional>
 #include <memory>
 #include <string>
@@ -12,7 +14,7 @@
 
 #include "absl/container/flat_hash_map.h"
 #include "absl/container/flat_hash_set.h"
-#include "bpf.h"
+#include "cilium/bpf.h"
 
 namespace std {
 template <> class hash<const string> {
diff --git a/cilium/grpc_subscription.cc b/cilium/grpc_subscription.cc
index 2869aa531..65d09ef6c 100644
--- a/cilium/grpc_subscription.cc
+++ b/cilium/grpc_subscription.cc
@@ -1,15 +1,38 @@
 #include "cilium/grpc_subscription.h"
 
+#include <fmt/format.h>
+
+#include <chrono>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
 #include "envoy/annotations/resource.pb.h"
+#include "envoy/common/exception.h"
+#include "envoy/common/random_generator.h"
 #include "envoy/config/core/v3/config_source.pb.h"
+#include "envoy/config/custom_config_validators.h"
 #include "envoy/config/subscription.h"
-
-#include "source/common/config/type_to_endpoint.h"
+#include "envoy/config/subscription_factory.h"
+#include "envoy/event/dispatcher.h"
+#include "envoy/local_info/local_info.h"
+#include "envoy/stats/scope.h"
+#include "envoy/upstream/cluster_manager.h"
+
+#include "source/common/common/assert.h"
+#include "source/common/common/backoff_strategy.h"
 #include "source/common/config/utility.h"
 #include "source/common/grpc/common.h"
-#include "source/common/protobuf/protobuf.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
 #include "source/extensions/config_subscription/grpc/grpc_mux_context.h"
-#include "source/extensions/config_subscription/grpc/grpc_mux_impl.h"
+#include "source/extensions/config_subscription/grpc/grpc_subscription_impl.h"
+
+#include "absl/container/flat_hash_map.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/match.h"
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/grpc_subscription.h b/cilium/grpc_subscription.h
index 793d4c728..125ec39e9 100644
--- a/cilium/grpc_subscription.h
+++ b/cilium/grpc_subscription.h
@@ -1,13 +1,18 @@
 #pragma once
 
-#include "envoy/config/grpc_mux.h"
+#include <chrono>
+#include <memory>
+#include <string>
+
+#include "envoy/common/random_generator.h"
+#include "envoy/config/core/v3/config_source.pb.h"
 #include "envoy/config/subscription.h"
-#include "envoy/config/xds_resources_delegate.h"
 #include "envoy/event/dispatcher.h"
-#include "envoy/grpc/async_client.h"
 #include "envoy/local_info/local_info.h"
+#include "envoy/stats/scope.h"
 #include "envoy/upstream/cluster_manager.h"
 
+#include "source/extensions/config_subscription/grpc/grpc_mux_context.h"
 #include "source/extensions/config_subscription/grpc/grpc_mux_impl.h"
 #include "source/extensions/config_subscription/grpc/grpc_subscription_impl.h"
 
diff --git a/cilium/health_check_sink.cc b/cilium/health_check_sink.cc
index 73ec5fedc..f7a0df53f 100644
--- a/cilium/health_check_sink.cc
+++ b/cilium/health_check_sink.cc
@@ -1,9 +1,24 @@
 #include "cilium/health_check_sink.h"
 
+#include <map>
+#include <memory>
+#include <string>
+
+#include "envoy/common/time.h"
+#include "envoy/data/core/v3/health_check_event.pb.h"
 #include "envoy/registry/registry.h"
+#include "envoy/server/health_checker_config.h"
+#include "envoy/upstream/health_check_event_sink.h"
 
+#include "source/common/common/lock_guard.h"
+#include "source/common/common/logger.h"
+#include "source/common/common/thread.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
 #include "source/common/protobuf/utility.h"
 
+#include "cilium/api/health_check_sink.pb.h"
+#include "cilium/uds_client.h"
+
 namespace Envoy {
 namespace Cilium {
 
diff --git a/cilium/health_check_sink.h b/cilium/health_check_sink.h
index fd1bb3750..378784a4e 100644
--- a/cilium/health_check_sink.h
+++ b/cilium/health_check_sink.h
@@ -1,9 +1,20 @@
 #pragma once
 
+#include <map>
+#include <memory>
+#include <string>
+
+#include "envoy/common/time.h"
+#include "envoy/data/core/v3/health_check_event.pb.h"
+#include "envoy/server/health_checker_config.h"
 #include "envoy/upstream/health_check_event_sink.h"
 
+#include "source/common/common/thread.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+
+#include "absl/base/thread_annotations.h"
 #include "cilium/api/health_check_sink.pb.h"
-#include "cilium/api/health_check_sink.pb.validate.h"
+#include "cilium/api/health_check_sink.pb.validate.h" // IWYU pragma: keep
 #include "cilium/uds_client.h"
 
 namespace Envoy {
diff --git a/cilium/host_map.cc b/cilium/host_map.cc
index 7c75a2114..e7ab6c854 100644
--- a/cilium/host_map.cc
+++ b/cilium/host_map.cc
@@ -1,11 +1,30 @@
 #include "cilium/host_map.h"
 
-#include <string>
-#include <unordered_set>
-
-#include "source/common/config/utility.h"
-#include "source/common/protobuf/protobuf.h"
+#include <arpa/inet.h>
+#include <fmt/format.h>
+#include <sys/socket.h>
 
+#include <cstdint>
+#include <cstring>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "envoy/common/exception.h"
+#include "envoy/config/subscription.h"
+#include "envoy/event/dispatcher.h"
+#include "envoy/server/factory_context.h"
+#include "envoy/thread_local/thread_local.h"
+#include "envoy/thread_local/thread_local_object.h"
+
+#include "source/common/common/logger.h"
+#include "source/common/common/macros.h"
+
+#include "absl/numeric/int128.h"
+#include "absl/status/status.h"
+#include "absl/strings/string_view.h"
+#include "cilium/api/nphds.pb.h"
 #include "cilium/grpc_subscription.h"
 
 namespace Envoy {
diff --git a/cilium/host_map.h b/cilium/host_map.h
index 32a7f7b08..f0b8e56ca 100644
--- a/cilium/host_map.h
+++ b/cilium/host_map.h
@@ -1,22 +1,40 @@
 #pragma once
 
 #include <arpa/inet.h>
-
+#include <fmt/format.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+
+#include <cstddef>
+#include <cstdint>
+#include <functional>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "envoy/common/exception.h"
 #include "envoy/config/subscription.h"
-#include "envoy/event/dispatcher.h"
-#include "envoy/local_info/local_info.h"
+#include "envoy/network/address.h"
+#include "envoy/protobuf/message_validator.h"
 #include "envoy/server/factory_context.h"
 #include "envoy/singleton/instance.h"
+#include "envoy/stats/scope.h"
 #include "envoy/thread_local/thread_local.h"
-#include "envoy/upstream/cluster_manager.h"
+#include "envoy/thread_local/thread_local_object.h"
 
 #include "source/common/common/logger.h"
+#include "source/common/common/macros.h"
 #include "source/common/network/utility.h"
 #include "source/common/protobuf/message_validator_impl.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+#include "source/common/protobuf/utility.h"
 
+#include "absl/container/flat_hash_map.h"
 #include "absl/numeric/int128.h"
+#include "absl/status/status.h"
 #include "cilium/api/nphds.pb.h"
-#include "cilium/api/nphds.pb.validate.h"
+#include "cilium/api/nphds.pb.validate.h" // IWYU pragma: keep
 #include "cilium/policy_id.h"
 
 // std::hash specialization for Abseil uint128, needed for unordered_map key.
diff --git a/cilium/ipcache.cc b/cilium/ipcache.cc
index 5d34ec5f0..45a7cbb30 100644
--- a/cilium/ipcache.cc
+++ b/cilium/ipcache.cc
@@ -1,13 +1,25 @@
 #include "ipcache.h"
 
 #include <arpa/inet.h>
+#include <netinet/in.h>
+
+#include <cstdint>
+#include <cstring>
+#include <memory>
+#include <string>
 
 #include "envoy/common/platform.h"
+#include "envoy/network/address.h"
+#include "envoy/server/factory_context.h"
 #include "envoy/singleton/manager.h"
 
+#include "source/common/common/logger.h"
 #include "source/common/common/utility.h"
 
+#include "absl/numeric/int128.h"
+#include "cilium/bpf.h"
 #include "linux/bpf.h"
+#include "linux/type_mapper.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/ipcache.h b/cilium/ipcache.h
index 91a015ece..76c5bf95a 100644
--- a/cilium/ipcache.h
+++ b/cilium/ipcache.h
@@ -1,12 +1,14 @@
 #pragma once
 
+#include <cstdint>
+#include <memory>
+#include <string>
+
 #include "envoy/network/address.h"
 #include "envoy/server/factory_context.h"
 #include "envoy/singleton/instance.h"
 
-#include "source/common/common/logger.h"
-
-#include "bpf.h"
+#include "cilium/bpf.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/l7policy.cc b/cilium/l7policy.cc
index c682f6274..200f66659 100644
--- a/cilium/l7policy.cc
+++ b/cilium/l7policy.cc
@@ -1,17 +1,36 @@
 #include "cilium/l7policy.h"
 
-#include <string>
+#include <fmt/format.h>
 
+#include <cstddef>
+#include <cstdint>
+#include <memory>
+#include <string>
+#include <utility>
+
+#include "envoy/common/time.h"
+#include "envoy/http/codes.h"
+#include "envoy/http/filter.h"
+#include "envoy/http/filter_factory.h"
+#include "envoy/http/header_map.h"
+#include "envoy/network/address.h"
+#include "envoy/network/socket.h"
 #include "envoy/registry/registry.h"
-
-#include "source/common/buffer/buffer_impl.h"
-#include "source/common/config/utility.h"
-#include "source/common/http/header_map_impl.h"
-#include "source/common/http/utility.h"
-#include "source/common/network/upstream_server_name.h"
-#include "source/common/network/upstream_subject_alt_names.h"
+#include "envoy/server/factory_context.h"
+#include "envoy/server/filter_config.h"
+#include "envoy/stats/scope.h"
+#include "envoy/stats/stats_macros.h"
+#include "envoy/stream_info/filter_state.h"
+#include "envoy/stream_info/stream_info.h"
+
+#include "source/common/common/assert.h"
+#include "source/common/common/logger.h"
+#include "source/common/common/utility.h"
 #include "source/extensions/filters/http/common/factory_base.h"
 
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
 #include "cilium/api/l7policy.pb.validate.h"
 #include "cilium/socket_option.h"
 
diff --git a/cilium/l7policy.h b/cilium/l7policy.h
index 978f2382a..f00c89bb8 100644
--- a/cilium/l7policy.h
+++ b/cilium/l7policy.h
@@ -1,14 +1,23 @@
 #pragma once
 
+#include <memory>
 #include <string>
 
-#include "envoy/server/filter_config.h"
-#include "envoy/stats/stats_macros.h"
+#include "envoy/buffer/buffer.h"
+#include "envoy/common/optref.h"
+#include "envoy/common/time.h"
+#include "envoy/http/filter.h"
+#include "envoy/http/header_map.h"
+#include "envoy/http/metadata_interface.h"
+#include "envoy/stats/scope.h"
+#include "envoy/stats/stats_macros.h" // IWYU pragma: keep
 
 #include "source/common/common/logger.h"
 
+#include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
 #include "cilium/accesslog.h"
+#include "cilium/api/accesslog.pb.h"
 #include "cilium/api/l7policy.pb.h"
 
 namespace Envoy {
diff --git a/cilium/network_filter.cc b/cilium/network_filter.cc
index e23ccbe4c..be29d8b4b 100644
--- a/cilium/network_filter.cc
+++ b/cilium/network_filter.cc
@@ -2,17 +2,37 @@
 
 #include <dlfcn.h>
 
-#include "envoy/network/listen_socket.h"
+#include <cstdint>
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "envoy/buffer/buffer.h"
+#include "envoy/network/address.h"
+#include "envoy/network/connection.h"
+#include "envoy/network/filter.h"
 #include "envoy/registry/registry.h"
+#include "envoy/server/factory_context.h"
 #include "envoy/server/filter_config.h"
+#include "envoy/stream_info/filter_state.h"
+#include "envoy/stream_info/stream_info.h"
+#include "envoy/upstream/host_description.h"
 
-#include "source/common/common/assert.h"
-#include "source/common/common/fmt.h"
+#include "source/common/buffer/buffer_impl.h"
+#include "source/common/common/logger.h"
 #include "source/common/network/upstream_server_name.h"
 #include "source/common/network/upstream_subject_alt_names.h"
-
-#include "cilium/api/network_filter.pb.validate.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+#include "source/common/protobuf/utility.h"
+
+#include "absl/status/statusor.h"
+#include "cilium/accesslog.h"
+#include "cilium/api/accesslog.pb.h"
+#include "cilium/api/network_filter.pb.h"
+#include "cilium/api/network_filter.pb.validate.h" // IWYU pragma: keep
+#include "cilium/proxylib.h"
 #include "cilium/socket_option.h"
+#include "proxylib/types.h"
 
 namespace Envoy {
 namespace Server {
diff --git a/cilium/network_filter.h b/cilium/network_filter.h
index 4f2948443..d70bfe6b3 100644
--- a/cilium/network_filter.h
+++ b/cilium/network_filter.h
@@ -1,16 +1,21 @@
 #pragma once
 
+#include <cstdint>
+#include <memory>
+#include <string>
+
+#include "envoy/buffer/buffer.h"
+#include "envoy/common/time.h"
 #include "envoy/json/json_object.h"
-#include "envoy/network/connection.h"
 #include "envoy/network/filter.h"
-#include "envoy/server/filter_config.h"
+#include "envoy/server/factory_context.h"
 
 #include "source/common/buffer/buffer_impl.h"
 #include "source/common/common/logger.h"
 
 #include "cilium/accesslog.h"
+#include "cilium/api/accesslog.pb.h"
 #include "cilium/api/network_filter.pb.h"
-#include "cilium/conntrack.h"
 #include "cilium/network_policy.h"
 #include "cilium/proxylib.h"
 
diff --git a/cilium/network_policy.cc b/cilium/network_policy.cc
index 33df8290a..4c5fec27d 100644
--- a/cilium/network_policy.cc
+++ b/cilium/network_policy.cc
@@ -1,25 +1,60 @@
 #include "cilium/network_policy.h"
 
+#include <fmt/format.h>
+#include <openssl/mem.h>
+
 #include <algorithm>
+#include <chrono>
+#include <cstdint>
+#include <functional>
+#include <memory>
+#include <set>
 #include <string>
-
+#include <utility>
+#include <vector>
+
+#include "envoy/common/exception.h"
+#include "envoy/common/matchers.h"
+#include "envoy/common/optref.h"
+#include "envoy/config/core/v3/address.pb.h"
+#include "envoy/config/core/v3/base.pb.h"
+#include "envoy/config/subscription.h"
+#include "envoy/event/dispatcher.h"
+#include "envoy/http/header_map.h"
+#include "envoy/init/manager.h"
+#include "envoy/network/address.h"
+#include "envoy/server/factory_context.h"
+#include "envoy/ssl/context.h"
+#include "envoy/ssl/context_config.h"
+#include "envoy/stats/stats_macros.h"
 #include "envoy/type/matcher/v3/metadata.pb.h"
 
+#include "source/common/common/assert.h"
+#include "source/common/common/logger.h"
 #include "source/common/common/matchers.h"
-#include "source/common/config/utility.h"
+#include "source/common/common/thread.h"
+#include "source/common/http/header_utility.h"
 #include "source/common/init/manager_impl.h"
+#include "source/common/init/target_impl.h"
 #include "source/common/init/watcher_impl.h"
 #include "source/common/network/utility.h"
-#include "source/common/protobuf/protobuf.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+#include "source/common/protobuf/utility.h"
 #include "source/common/stats/timespan_impl.h"
+#include "source/extensions/config_subscription/grpc/grpc_subscription_impl.h"
+#include "source/server/transport_socket_config_impl.h"
 
 #include "absl/container/btree_set.h"
 #include "absl/container/flat_hash_set.h"
 #include "absl/container/node_hash_map.h"
+#include "absl/status/status.h"
+#include "absl/strings/string_view.h"
+#include "cilium/accesslog.h"
+#include "cilium/api/npds.pb.h"
+#include "cilium/conntrack.h"
 #include "cilium/grpc_subscription.h"
 #include "cilium/ipcache.h"
 #include "cilium/secret_watcher.h"
-#include "openssl/ssl.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/network_policy.h b/cilium/network_policy.h
index b1dbca2a5..ede9bdfbe 100644
--- a/cilium/network_policy.h
+++ b/cilium/network_policy.h
@@ -1,26 +1,55 @@
 #pragma once
 
+#include <fmt/format.h>
+
+#include <chrono>
+#include <cstdint>
+#include <functional>
+#include <list>
+#include <map>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "envoy/common/exception.h"
+#include "envoy/common/matchers.h"
+#include "envoy/common/pure.h"
+#include "envoy/config/core/v3/base.pb.h"
+#include "envoy/config/grpc_mux.h"
 #include "envoy/config/subscription.h"
 #include "envoy/http/header_map.h"
-#include "envoy/server/filter_config.h"
+#include "envoy/network/address.h"
+#include "envoy/protobuf/message_validator.h"
+#include "envoy/server/config_tracker.h"
+#include "envoy/server/factory_context.h"
+#include "envoy/server/transport_socket_config.h"
 #include "envoy/singleton/instance.h"
-#include "envoy/stats/stats_macros.h"
+#include "envoy/ssl/context.h"
+#include "envoy/ssl/context_config.h"
+#include "envoy/stats/scope.h"
 #include "envoy/stats/timespan.h"
 #include "envoy/thread_local/thread_local.h"
+#include "envoy/thread_local/thread_local_object.h"
 
+#include "source/common/common/assert.h"
 #include "source/common/common/logger.h"
-#include "source/common/config/opaque_resource_decoder_impl.h"
-#include "source/common/http/header_utility.h"
+#include "source/common/common/macros.h"
+#include "source/common/common/thread.h"
 #include "source/common/init/manager_impl.h"
 #include "source/common/init/target_impl.h"
 #include "source/common/init/watcher_impl.h"
 #include "source/common/protobuf/message_validator_impl.h"
-#include "source/common/tls/server_context_config_impl.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+#include "source/common/protobuf/utility.h"
 #include "source/server/transport_socket_config_impl.h"
 
+#include "absl/container/btree_map.h"
+#include "absl/status/status.h"
+#include "absl/strings/string_view.h"
 #include "cilium/accesslog.h"
 #include "cilium/api/npds.pb.h"
-#include "cilium/api/npds.pb.validate.h"
+#include "cilium/api/npds.pb.validate.h" // IWYU pragma: keep
 #include "cilium/conntrack.h"
 
 namespace Envoy {
diff --git a/cilium/proxylib.cc b/cilium/proxylib.cc
index 82c203d8c..b4b724dcd 100644
--- a/cilium/proxylib.cc
+++ b/cilium/proxylib.cc
@@ -1,13 +1,22 @@
 #include "cilium/proxylib.h"
 
 #include <dlfcn.h>
+#include <fmt/format.h>
 
+#include <cstdint>
+#include <memory>
+#include <string>
+
+#include "envoy/buffer/buffer.h"
 #include "envoy/common/exception.h"
+#include "envoy/network/connection.h"
 
 #include "source/common/common/assert.h"
-#include "source/common/common/fmt.h"
+#include "source/common/common/logger.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
 
 #include "absl/container/fixed_array.h"
+#include "proxylib/types.h"
 
 namespace Envoy {
 namespace Cilium {
@@ -181,7 +190,7 @@ FilterResult GoFilter::Instance::OnIO(bool reply, Buffer::Instance& data, bool e
     dir.inject_slice_.reset();
   }
 
-  // Do nothing if we don't have enought input (partial input remains buffered)
+  // Do nothing if we don't have enough input (partial input remains buffered)
   if (input_len < dir.need_bytes_) {
     return FILTER_OK;
   }
diff --git a/cilium/proxylib.h b/cilium/proxylib.h
index a67ab9f3e..f560c20c5 100644
--- a/cilium/proxylib.h
+++ b/cilium/proxylib.h
@@ -2,13 +2,18 @@
 
 #include <google/protobuf/map.h>
 
+#include <cstdint>
+#include <memory>
+#include <string>
+
+#include "envoy/buffer/buffer.h"
 #include "envoy/network/connection.h"
 
 #include "source/common/buffer/buffer_impl.h"
 #include "source/common/common/logger.h"
-#include "source/common/protobuf/protobuf.h"
 
 #include "proxylib/libcilium.h"
+#include "proxylib/types.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/secret_watcher.cc b/cilium/secret_watcher.cc
index 5c330ce8b..f36199793 100644
--- a/cilium/secret_watcher.cc
+++ b/cilium/secret_watcher.cc
@@ -1,8 +1,30 @@
 #include "cilium/secret_watcher.h"
 
+#include <fmt/format.h>
+
+#include <atomic>
+#include <string>
+#include <utility>
+
+#include "envoy/api/api.h"
+#include "envoy/common/callback.h"
+#include "envoy/common/exception.h"
+#include "envoy/config/core/v3/config_source.pb.h"
+#include "envoy/extensions/transport_sockets/tls/v3/tls.pb.h"
+#include "envoy/secret/secret_provider.h"
+#include "envoy/server/transport_socket_config.h"
+
+#include "source/common/common/logger.h"
+#include "source/common/common/thread.h"
 #include "source/common/config/datasource.h"
+#include "source/common/tls/context_config_impl.h"
+#include "source/common/tls/server_context_config_impl.h"
 
+#include "absl/status/status.h"
+#include "absl/synchronization/mutex.h"
+#include "cilium/api/npds.pb.h"
 #include "cilium/grpc_subscription.h"
+#include "cilium/network_policy.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/secret_watcher.h b/cilium/secret_watcher.h
index e4cbd9f5a..02a07b9f1 100644
--- a/cilium/secret_watcher.h
+++ b/cilium/secret_watcher.h
@@ -1,12 +1,25 @@
 #pragma once
 
+#include <atomic>
+#include <memory>
 #include <string>
+#include <vector>
 
+#include "envoy/common/callback.h"
+#include "envoy/config/core/v3/config_source.pb.h"
 #include "envoy/secret/secret_provider.h"
+#include "envoy/ssl/context.h"
+#include "envoy/ssl/context_config.h"
+#include "envoy/ssl/context_manager.h"
+#include "envoy/stats/scope.h"
 
+#include "source/common/common/logger.h"
 #include "source/common/init/target_impl.h"
-#include "source/common/tls/server_context_config_impl.h"
 
+#include "absl/base/thread_annotations.h"
+#include "absl/status/status.h"
+#include "absl/synchronization/mutex.h"
+#include "cilium/api/npds.pb.h"
 #include "cilium/network_policy.h"
 
 namespace Envoy {
diff --git a/cilium/socket_option.h b/cilium/socket_option.h
index 885611bc8..dda309e82 100644
--- a/cilium/socket_option.h
+++ b/cilium/socket_option.h
@@ -1,12 +1,29 @@
 #pragma once
 
-#include "envoy/config/core/v3/base.pb.h"
-#include "envoy/network/listen_socket.h"
+#include <asm-generic/socket.h>
+#include <linux/in.h>
+#include <linux/in6.h>
+#include <netinet/in.h>
+
+#include <cerrno>
+#include <cstdint>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "envoy/common/pure.h"
+#include "envoy/config/core/v3/socket_option.pb.h"
+#include "envoy/network/address.h"
+#include "envoy/network/socket.h"
 
 #include "source/common/common/hex.h"
 #include "source/common/common/logger.h"
 #include "source/common/common/utility.h"
 
+#include "absl/numeric/int128.h"
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
 #include "cilium/conntrack.h"
 #include "cilium/network_policy.h"
 #include "cilium/policy_id.h"
diff --git a/cilium/tls_wrapper.cc b/cilium/tls_wrapper.cc
index 41dbee6eb..32b2d57f5 100644
--- a/cilium/tls_wrapper.cc
+++ b/cilium/tls_wrapper.cc
@@ -1,12 +1,31 @@
 #include "cilium/tls_wrapper.h"
 
-#include "envoy/extensions/transport_sockets/tls/v3/cert.pb.validate.h"
-
+#include <chrono>
+#include <cstdint>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "envoy/buffer/buffer.h"
+#include "envoy/network/address.h"
+#include "envoy/network/post_io_action.h"
+#include "envoy/network/transport_socket.h"
+#include "envoy/registry/registry.h"
+#include "envoy/server/transport_socket_config.h"
+#include "envoy/ssl/connection.h"
+#include "envoy/ssl/context.h"
+#include "envoy/ssl/context_config.h"
+
+#include "source/common/common/empty_string.h"
+#include "source/common/common/logger.h"
 #include "source/common/network/raw_buffer_socket.h"
-#include "source/common/protobuf/utility.h"
-#include "source/common/tls/context_config_impl.h"
+#include "source/common/network/transport_socket_options_impl.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
 #include "source/common/tls/ssl_socket.h"
 
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
 #include "cilium/api/tls_wrapper.pb.h"
 #include "cilium/network_policy.h"
 #include "cilium/socket_option.h"
diff --git a/cilium/tls_wrapper.h b/cilium/tls_wrapper.h
index 2e6fd1c68..78d67881f 100644
--- a/cilium/tls_wrapper.h
+++ b/cilium/tls_wrapper.h
@@ -1,9 +1,16 @@
 #pragma once
 
+#include <string>
+#include <vector>
+
+#include "envoy/network/transport_socket.h"
 #include "envoy/registry/registry.h"
 #include "envoy/server/transport_socket_config.h"
-#include "envoy/stats/scope.h"
-#include "envoy/stats/stats_macros.h"
+#include "envoy/stats/stats_macros.h" // IWYU pragma: keep
+
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+
+#include "absl/status/statusor.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/uds_client.cc b/cilium/uds_client.cc
index 9a2fce0eb..0bd3ebef0 100644
--- a/cilium/uds_client.cc
+++ b/cilium/uds_client.cc
@@ -1,14 +1,23 @@
 #include "cilium/uds_client.h"
 
 #include <errno.h>
+#include <fmt/format.h>
 #include <stdlib.h>
 #include <sys/socket.h>
+#include <sys/types.h>
 #include <unistd.h>
 
+#include <memory>
+#include <string>
+
 #include "envoy/common/exception.h"
+#include "envoy/common/time.h"
 
 #include "source/common/common/lock_guard.h"
+#include "source/common/common/logger.h"
+#include "source/common/common/token_bucket_impl.h"
 #include "source/common/common/utility.h"
+#include "source/common/network/address_impl.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/uds_client.h b/cilium/uds_client.h
index c117c5c41..0232d5d57 100644
--- a/cilium/uds_client.h
+++ b/cilium/uds_client.h
@@ -1,13 +1,18 @@
 #pragma once
 
-#include <map>
+#include <memory>
 #include <string>
 
+#include "envoy/common/time.h"
+
 #include "source/common/common/logger.h"
 #include "source/common/common/thread.h"
 #include "source/common/common/token_bucket_impl.h"
 #include "source/common/network/address_impl.h"
 
+#include "absl/base/thread_annotations.h"
+#include "absl/strings/string_view.h"
+
 namespace Envoy {
 namespace Cilium {
 
diff --git a/cilium/websocket.cc b/cilium/websocket.cc
index bc10036d0..3c0e3cbc8 100644
--- a/cilium/websocket.cc
+++ b/cilium/websocket.cc
@@ -2,28 +2,33 @@
 
 #include <http_parser.h>
 
+#include <cstdint>
+#include <memory>
 #include <string>
 
+#include "envoy/buffer/buffer.h"
+#include "envoy/http/header_map.h"
+#include "envoy/network/address.h"
+#include "envoy/network/filter.h"
 #include "envoy/registry/registry.h"
+#include "envoy/server/factory_context.h"
+#include "envoy/server/filter_config.h"
+#include "envoy/stream_info/filter_state.h"
 
-#include "source/common/buffer/buffer_impl.h"
-#include "source/common/common/assert.h"
-#include "source/common/common/base64.h"
-#include "source/common/common/enum_to_int.h"
-#include "source/common/common/hex.h"
-#include "source/common/crypto/crypto_impl.h"
-#include "source/common/crypto/utility.h"
-#include "source/common/http/header_map_impl.h"
-#include "source/common/http/header_utility.h"
-#include "source/common/http/utility.h"
-#include "source/common/network/filter_manager_impl.h"
+#include "source/common/common/logger.h"
+#include "source/common/http/headers.h"
 #include "source/common/network/utility.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+#include "source/common/protobuf/utility.h"
 #include "source/common/stream_info/bool_accessor_impl.h"
 #include "source/common/tcp_proxy/tcp_proxy.h"
 
-#include "cilium/api/websocket.pb.validate.h"
+#include "absl/status/statusor.h"
+#include "cilium/api/websocket.pb.h"
+#include "cilium/api/websocket.pb.validate.h" // IWYU pragma: keep
 #include "cilium/socket_option.h"
-#include "cilium/websocket_protocol.h"
+#include "cilium/websocket_codec.h"
+#include "cilium/websocket_config.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/cilium/websocket.h b/cilium/websocket.h
index 62e2a38d1..4d978f66a 100644
--- a/cilium/websocket.h
+++ b/cilium/websocket.h
@@ -1,17 +1,16 @@
 #pragma once
 
-#include <string>
+#include "envoy/buffer/buffer.h"
+#include "envoy/event/schedulable_cb.h"
+#include "envoy/http/header_map.h"
+#include "envoy/network/address.h"
+#include "envoy/network/filter.h"
+#include "envoy/stats/stats_macros.h" // IWYU pragma: keep
 
-#include "envoy/common/random_generator.h"
-#include "envoy/event/dispatcher.h"
-#include "envoy/event/timer.h"
-#include "envoy/server/filter_config.h"
-#include "envoy/stats/stats_macros.h"
-
-#include "source/common/buffer/buffer_impl.h"
 #include "source/common/common/logger.h"
 
 #include "cilium/accesslog.h"
+#include "cilium/api/accesslog.pb.h"
 #include "cilium/websocket_codec.h"
 #include "cilium/websocket_config.h"
 
diff --git a/cilium/websocket_codec.cc b/cilium/websocket_codec.cc
index 142211c13..bc49b537e 100644
--- a/cilium/websocket_codec.cc
+++ b/cilium/websocket_codec.cc
@@ -1,27 +1,38 @@
 #include "cilium/websocket_codec.h"
 
+#include <fmt/format.h>
 #include <http_parser.h>
+#include <sys/types.h>
 
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
 #include <string>
+#include <utility>
 
-#include "envoy/registry/registry.h"
+#include "envoy/buffer/buffer.h"
+#include "envoy/common/pure.h"
+#include "envoy/http/codes.h"
+#include "envoy/http/header_map.h"
+#include "envoy/network/address.h"
+#include "envoy/network/connection.h"
 
 #include "source/common/buffer/buffer_impl.h"
 #include "source/common/common/assert.h"
-#include "source/common/common/base64.h"
 #include "source/common/common/enum_to_int.h"
 #include "source/common/common/hex.h"
-#include "source/common/crypto/crypto_impl.h"
-#include "source/common/crypto/utility.h"
+#include "source/common/common/logger.h"
+#include "source/common/common/utility.h"
 #include "source/common/http/codes.h"
 #include "source/common/http/header_map_impl.h"
 #include "source/common/http/header_utility.h"
+#include "source/common/http/headers.h"
 #include "source/common/http/utility.h"
-#include "source/common/network/filter_manager_impl.h"
 #include "source/common/network/utility.h"
 
-#include "cilium/api/websocket.pb.validate.h"
-#include "cilium/socket_option.h"
+#include "absl/strings/ascii.h"
+#include "absl/strings/string_view.h"
+#include "cilium/websocket_config.h"
 #include "cilium/websocket_protocol.h"
 
 namespace Envoy {
diff --git a/cilium/websocket_codec.h b/cilium/websocket_codec.h
index 135c0653f..619977e66 100644
--- a/cilium/websocket_codec.h
+++ b/cilium/websocket_codec.h
@@ -1,13 +1,21 @@
 #pragma once
 
+#include <cstddef>
+#include <cstdint>
+#include <memory>
 #include <string>
 
-#include "envoy/event/dispatcher.h"
+#include "envoy/buffer/buffer.h"
+#include "envoy/common/pure.h"
 #include "envoy/event/timer.h"
+#include "envoy/http/header_map.h"
+#include "envoy/network/address.h"
+#include "envoy/network/connection.h"
 
 #include "source/common/buffer/buffer_impl.h"
 #include "source/common/common/logger.h"
 
+#include "absl/strings/string_view.h"
 #include "cilium/websocket_config.h"
 
 namespace Envoy {
diff --git a/cilium/websocket_config.cc b/cilium/websocket_config.cc
index 26e5fb708..0e51c8828 100644
--- a/cilium/websocket_config.cc
+++ b/cilium/websocket_config.cc
@@ -1,27 +1,34 @@
 #include "cilium/websocket_config.h"
 
 #include <http_parser.h>
+#include <openssl/digest.h>
+#include <openssl/sha.h>
 
+#include <chrono>
+#include <cstddef>
+#include <cstdint>
 #include <string>
+#include <vector>
 
+#include "envoy/buffer/buffer.h"
+#include "envoy/common/exception.h"
+#include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h"
 #include "envoy/extensions/request_id/uuid/v3/uuid.pb.h"
-#include "envoy/registry/registry.h"
+#include "envoy/server/factory_context.h"
+#include "envoy/stats/stats_macros.h"
 
 #include "source/common/buffer/buffer_impl.h"
 #include "source/common/common/assert.h"
 #include "source/common/common/base64.h"
-#include "source/common/common/enum_to_int.h"
-#include "source/common/common/hex.h"
-#include "source/common/crypto/crypto_impl.h"
-#include "source/common/crypto/utility.h"
-#include "source/common/http/header_map_impl.h"
-#include "source/common/http/header_utility.h"
 #include "source/common/http/request_id_extension_impl.h"
-#include "source/common/http/utility.h"
-#include "source/common/network/filter_manager_impl.h"
-
-#include "cilium/api/websocket.pb.validate.h"
-#include "cilium/socket_option.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+#include "source/common/protobuf/utility.h"
+
+#include "absl/strings/ascii.h"
+#include "absl/strings/string_view.h"
+#include "cilium/accesslog.h"
+#include "cilium/api/accesslog.pb.h"
+#include "cilium/api/websocket.pb.h"
 #include "cilium/websocket_protocol.h"
 
 namespace Envoy {
diff --git a/cilium/websocket_config.h b/cilium/websocket_config.h
index 7d7fae03b..79f50e5ec 100644
--- a/cilium/websocket_config.h
+++ b/cilium/websocket_config.h
@@ -1,16 +1,25 @@
 #pragma once
 
+#include <chrono>
+#include <cstdint>
+#include <memory>
 #include <string>
+#include <vector>
 
+#include "envoy/buffer/buffer.h"
 #include "envoy/common/random_generator.h"
+#include "envoy/common/time.h"
 #include "envoy/event/dispatcher.h"
 #include "envoy/http/request_id_extension.h"
-#include "envoy/server/filter_config.h"
-#include "envoy/stats/stats_macros.h"
+#include "envoy/server/factory_context.h"
+#include "envoy/stats/stats_macros.h" // IWYU pragma: keep
 
 #include "source/common/common/logger.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
 
+#include "absl/strings/string_view.h"
 #include "cilium/accesslog.h"
+#include "cilium/api/accesslog.pb.h"
 #include "cilium/api/websocket.pb.h"
 
 namespace Envoy {
diff --git a/starter/main.cc b/starter/main.cc
index 2b3b52366..ed3527152 100644
--- a/starter/main.cc
+++ b/starter/main.cc
@@ -10,7 +10,18 @@
 #include <syscall.h>
 #include <unistd.h>
 #include <vector>
-
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+
+#include <linux/capability.h>
+#include <linux/limits.h>
+#include <linux/prctl.h>
+
+#include "starter/privileged_service_protocol.h"
 #include "starter/privileged_service_server.h"
 
 // NOLINT(namespace-envoy)
@@ -71,7 +82,7 @@ int main(int argc, char** argv) {
   envoy_args.push_back(path); // program
 
   if (!delimiter_present) {
-    // backwards compabitility: handle all args as Envoys if delimiter isn't present
+    // backwards compatibility: handle all args as Envoys if delimiter isn't present
     envoy_args.insert(envoy_args.end(), args.begin(), args.end());
   } else {
     // parse arguments and split by delimiter "--"
@@ -113,9 +124,7 @@ int main(int argc, char** argv) {
     close(fds[0]);
 
     // Unconditionally drop all capabilities
-    struct __user_cap_header_struct hdr {
-      _LINUX_CAPABILITY_VERSION_3, 0
-    };
+    struct __user_cap_header_struct hdr{_LINUX_CAPABILITY_VERSION_3, 0};
     struct __user_cap_data_struct data[2];
     memset(&data, 0, sizeof(data));
 
diff --git a/starter/privileged_service_protocol.cc b/starter/privileged_service_protocol.cc
index 746242bd4..787d061fb 100644
--- a/starter/privileged_service_protocol.cc
+++ b/starter/privileged_service_protocol.cc
@@ -7,12 +7,23 @@
 #include <errno.h>
 #include <sys/syscall.h>
 #include <sys/unistd.h>
+#include <asm-generic/socket.h>
+#include <bits/types/struct_iovec.h>
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+#include <linux/capability.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <unistd.h>
 
 namespace Envoy {
 namespace Cilium {
 namespace PrivilegedService {
 
-// Capabiilty names used in DumpCapabilites responses.
+// Capabiilty names used in DumpCapabilities responses.
 static const char* cap_names[64] = {
     "CAP_CHOWN",              //  0
     "CAP_DAC_OVERRIDE",       //  1
@@ -82,9 +93,7 @@ static const char* cap_names[64] = {
 
 // Get a 64-bit set of capabilities of the given kind
 uint64_t get_capabilities(cap_flag_t kind) {
-  struct __user_cap_header_struct hdr {
-    _LINUX_CAPABILITY_VERSION_3, 0
-  };
+  struct __user_cap_header_struct hdr{_LINUX_CAPABILITY_VERSION_3, 0};
   struct __user_cap_data_struct data[2];
   memset(&data, 0, sizeof(data));
   int rc = ::syscall(SYS_capget, &hdr, &data, sizeof(data));
@@ -148,7 +157,7 @@ namespace {
 
 static inline struct msghdr init_iov(struct iovec iov[2], const void* header, ssize_t headerlen,
                                      const void* data, ssize_t datalen) {
-  struct msghdr msg {};
+  struct msghdr msg{};
   msg.msg_iov = iov;
   msg.msg_iovlen = 1;
   iov[0].iov_base = const_cast<void*>(header);
diff --git a/starter/privileged_service_server.cc b/starter/privileged_service_server.cc
index c7af7aacb..f9ae859bf 100644
--- a/starter/privileged_service_server.cc
+++ b/starter/privileged_service_server.cc
@@ -5,14 +5,19 @@
 #include "starter/privileged_service_server.h"
 
 #include <errno.h>
-#include <linux/bpf.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <syscall.h>
 #include <unistd.h>
-
 #include <algorithm>
+#include <climits>
+#include <cstdint>
+#include <stdio.h>
+
+#include "starter/privileged_service_protocol.h"
+
+#include <linux/bpf.h>
 
 namespace Envoy {
 namespace Cilium {
@@ -124,7 +129,7 @@ void ProtocolServer::serve() {
     // Form the response in place
     msg.response.hdr_.msg_type_ = TYPE_RESPONSE;
     if (fd_out != -1) {
-      // Pass a poitive but invalid fd in return_value_, to be replaced with the passed
+      // Pass a positive but invalid fd in return_value_, to be replaced with the passed
       // fd by the receiver.
       msg.response.return_value_ = INT_MAX;
       msg.response.errno_ = 0;
diff --git a/starter/privileged_service_server.h b/starter/privileged_service_server.h
index 64252719e..bb8a74ac5 100644
--- a/starter/privileged_service_server.h
+++ b/starter/privileged_service_server.h
@@ -4,7 +4,7 @@
 #error "Linux platform file is part of non-Linux build."
 #endif
 
-#include <limits.h>
+#include <linux/limits.h>
 
 #include "starter/privileged_service_protocol.h"
 
@@ -29,7 +29,7 @@ class ProtocolServer : public Protocol {
     BpfLookupRequest bpf_lookup_req;
     SetSockOptRequest setsockopt_req;
 
-    // resposes use the same buffer, so they inherit the message sequence number from the request
+    // responses use the same buffer, so they inherit the message sequence number from the request
     Response response;
 
     // make space for the largest possible request
diff --git a/tests/accesslog_server.cc b/tests/accesslog_server.cc
index 7a2177d79..15e371bc0 100644
--- a/tests/accesslog_server.cc
+++ b/tests/accesslog_server.cc
@@ -1,10 +1,20 @@
 #include "tests/accesslog_server.h"
 
-#include <errno.h>
 #include <unistd.h>
 
+#include <chrono>
+#include <functional>
 #include <string>
 
+#include "source/common/common/logger.h"
+
+#include "absl/base/thread_annotations.h"
+#include "absl/synchronization/mutex.h"
+#include "absl/time/time.h"
+#include "absl/types/optional.h"
+#include "cilium/api/accesslog.pb.h"
+#include "tests/uds_server.h"
+
 namespace Envoy {
 
 AccessLogServer::AccessLogServer(const std::string path)
diff --git a/tests/accesslog_server.h b/tests/accesslog_server.h
index 667a47902..1aa33da39 100644
--- a/tests/accesslog_server.h
+++ b/tests/accesslog_server.h
@@ -1,12 +1,12 @@
 #pragma once
 
-#include <atomic>
 #include <chrono>
 #include <string>
 #include <vector>
 
 #include "test/test_common/utility.h"
 
+#include "absl/base/thread_annotations.h"
 #include "absl/synchronization/mutex.h"
 #include "absl/types/optional.h"
 #include "cilium/api/accesslog.pb.h"
diff --git a/tests/accesslog_test.cc b/tests/accesslog_test.cc
index 35e1b98db..63548cc14 100644
--- a/tests/accesslog_test.cc
+++ b/tests/accesslog_test.cc
@@ -1,14 +1,16 @@
-#include <cstdint>
+#include <memory>
 
 #include "envoy/http/protocol.h"
 
 #include "source/common/network/address_impl.h"
 
 #include "test/mocks/network/connection.h"
-#include "test/mocks/stream_info/mocks.h"
+#include "test/mocks/upstream/cluster_info.h"
+#include "test/test_common/simulated_time_system.h"
 #include "test/test_common/utility.h"
 
 #include "cilium/accesslog.h"
+#include "cilium/api/accesslog.pb.h"
 #include "gtest/gtest.h"
 
 namespace Envoy {
diff --git a/tests/bpf_metadata.cc b/tests/bpf_metadata.cc
index 8f9beda26..1fac78336 100644
--- a/tests/bpf_metadata.cc
+++ b/tests/bpf_metadata.cc
@@ -1,17 +1,40 @@
 #include "tests/bpf_metadata.h"
 
+#include <cstdint>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
 #include "envoy/common/exception.h"
+#include "envoy/config/core/v3/config_source.pb.h"
+#include "envoy/config/subscription.h"
+#include "envoy/network/address.h"
+#include "envoy/network/filter.h"
+#include "envoy/network/listen_socket.h"
+#include "envoy/registry/registry.h"
+#include "envoy/server/factory_context.h"
+#include "envoy/server/filter_config.h"
 
 #include "source/common/common/logger.h"
 #include "source/common/config/utility.h"
+#include "source/common/protobuf/message_validator_impl.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+#include "source/common/protobuf/utility.h"
 #include "source/extensions/config_subscription/filesystem/filesystem_subscription_impl.h"
 
 #include "test/test_common/environment.h"
 
+#include "absl/strings/string_view.h"
+#include "cilium/api/bpf_metadata.pb.h"
+#include "cilium/bpf_metadata.h"
+#include "cilium/host_map.h"
+#include "cilium/network_policy.h"
 #include "cilium/secret_watcher.h"
 #include "cilium/socket_option.h"
 #include "fmt/printf.h"
-#include "tests/bpf_metadata.pb.validate.h"
+#include "tests/bpf_metadata.pb.h"
+#include "tests/bpf_metadata.pb.validate.h" // IWYU pragma: keep
 
 namespace Envoy {
 
diff --git a/tests/bpf_metadata.h b/tests/bpf_metadata.h
index da1335d36..88c62ad22 100644
--- a/tests/bpf_metadata.h
+++ b/tests/bpf_metadata.h
@@ -2,6 +2,8 @@
 
 #include <memory>
 #include <string>
+#include <utility>
+#include <vector>
 
 #include "envoy/network/address.h"
 #include "envoy/network/listen_socket.h"
@@ -10,6 +12,7 @@
 #include "cilium/bpf_metadata.h"
 #include "cilium/host_map.h"
 #include "cilium/network_policy.h"
+#include "cilium/socket_option.h"
 #include "tests/bpf_metadata.pb.h"
 
 namespace Envoy {
diff --git a/tests/cilium_http_integration.cc b/tests/cilium_http_integration.cc
index 436061a5d..ecf962542 100644
--- a/tests/cilium_http_integration.cc
+++ b/tests/cilium_http_integration.cc
@@ -1,8 +1,22 @@
 #include "tests/cilium_http_integration.h"
 
+#include <fmt/base.h>
+#include <fmt/format.h>
+#include <spdlog/common.h>
+
+#include <memory>
+#include <string>
+
 #include "envoy/network/address.h"
 
+#include "source/common/common/base_logger.h"
 #include "source/common/common/logger.h"
+#include "source/common/http/codec_client.h"
+#include "source/common/network/address_impl.h"
+
+#include "test/integration/http_integration.h"
+#include "test/test_common/environment.h"
+#include "test/test_common/network_utility.h"
 
 #include "tests/bpf_metadata.h"
 
diff --git a/tests/cilium_http_integration.h b/tests/cilium_http_integration.h
index 588fae44f..00cb4182f 100644
--- a/tests/cilium_http_integration.h
+++ b/tests/cilium_http_integration.h
@@ -1,7 +1,23 @@
 #pragma once
 
+#include <gtest/gtest.h>
+
+#include <chrono>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "envoy/common/pure.h"
+#include "envoy/http/header_map.h"
+#include "envoy/network/address.h"
+
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
+
 #include "test/integration/http_integration.h"
+#include "test/test_common/utility.h"
 
+#include "absl/types/optional.h"
+#include "cilium/api/accesslog.pb.h"
 #include "tests/accesslog_server.h"
 
 namespace Envoy {
diff --git a/tests/cilium_http_integration_test.cc b/tests/cilium_http_integration_test.cc
index 34cd61a2e..121ee1357 100644
--- a/tests/cilium_http_integration_test.cc
+++ b/tests/cilium_http_integration_test.cc
@@ -1,9 +1,37 @@
 // <gtest.h> TEST
+#include <fmt/base.h>
+#include <fmt/format.h>
+#include <gtest/gtest-param-test.h>
+#include <gtest/gtest.h>
+
+#include <cstdint>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "envoy/common/exception.h"
+#include "envoy/network/address.h"
+#include "envoy/service/discovery/v3/discovery.pb.h"
+
+#include "source/common/common/logger.h"
 #include "source/common/config/decoded_resource_impl.h"
 #include "source/common/network/address_impl.h"
-#include "source/common/protobuf/protobuf.h"
+#include "source/common/network/utility.h"
+#include "source/common/protobuf/message_validator_impl.h"
+#include "source/common/protobuf/utility.h"
 #include "source/common/thread_local/thread_local_impl.h"
 
+#include "test/integration/http_integration.h"
+#include "test/test_common/environment.h"
+#include "test/test_common/utility.h"
+
+#include "absl/strings/numbers.h"
+#include "absl/time/clock.h"
+#include "absl/time/time.h"
+#include "absl/types/optional.h"
+#include "cilium/api/accesslog.pb.h"
+#include "cilium/host_map.h"
 #include "cilium/secret_watcher.h"
 #include "tests/bpf_metadata.h" // host_map_config
 #include "tests/cilium_http_integration.h"
diff --git a/tests/cilium_http_upstream_integration_test.cc b/tests/cilium_http_upstream_integration_test.cc
index a667b6821..8bcebbd15 100644
--- a/tests/cilium_http_upstream_integration_test.cc
+++ b/tests/cilium_http_upstream_integration_test.cc
@@ -1,7 +1,25 @@
-#include "source/common/config/decoded_resource_impl.h"
-#include "source/common/network/address_impl.h"
-#include "source/common/thread_local/thread_local_impl.h"
+#include <fmt/base.h>
+#include <fmt/format.h>
+#include <gtest/gtest-param-test.h>
+#include <gtest/gtest.h>
 
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "envoy/network/address.h"
+
+#include "source/common/common/logger.h"
+#include "source/common/network/utility.h"
+
+#include "test/integration/http_integration.h"
+#include "test/test_common/environment.h"
+#include "test/test_common/utility.h"
+
+#include "absl/time/clock.h"
+#include "absl/time/time.h"
+#include "absl/types/optional.h"
+#include "cilium/api/accesslog.pb.h"
 #include "cilium/secret_watcher.h"
 #include "tests/bpf_metadata.h" // host_map_config
 #include "tests/cilium_http_integration.h"
diff --git a/tests/cilium_network_policy_test.cc b/tests/cilium_network_policy_test.cc
index e7e3ec443..63b4b78bf 100644
--- a/tests/cilium_network_policy_test.cc
+++ b/tests/cilium_network_policy_test.cc
@@ -1,11 +1,33 @@
+#include <gmock/gmock-spec-builders.h>
+#include <spdlog/common.h>
+
+#include <cstdint>
+#include <memory>
+#include <string>
+#include <utility>
+
+#include "envoy/common/exception.h"
+#include "envoy/config/core/v3/config_source.pb.h"
+#include "envoy/init/manager.h"
+#include "envoy/server/transport_socket_config.h"
+#include "envoy/service/discovery/v3/discovery.pb.h"
+#include "envoy/ssl/context.h"
+#include "envoy/ssl/context_config.h"
+
+#include "source/common/common/assert.h"
+#include "source/common/common/base_logger.h"
 #include "source/common/common/logger.h"
 #include "source/common/config/decoded_resource_impl.h"
+#include "source/common/protobuf/message_validator_impl.h"
 #include "source/common/protobuf/utility.h"
-#include "source/common/secret/secret_provider_impl.h"
 
+#include "test/common/stats/stat_test_utility.h"
+#include "test/mocks/server/admin.h"
 #include "test/mocks/server/factory_context.h"
-#include "test/test_common/environment.h"
+#include "test/test_common/utility.h"
 
+#include "absl/strings/string_view.h"
+#include "cilium/accesslog.h"
 #include "cilium/network_policy.h"
 #include "gtest/gtest.h"
 
diff --git a/tests/cilium_tcp_integration.cc b/tests/cilium_tcp_integration.cc
index f11e0e360..de660e8a7 100644
--- a/tests/cilium_tcp_integration.cc
+++ b/tests/cilium_tcp_integration.cc
@@ -1,8 +1,21 @@
 #include "tests/cilium_tcp_integration.h"
 
+#include <fmt/base.h>
+#include <fmt/format.h>
+#include <spdlog/common.h>
+
+#include <memory>
+#include <string>
+
 #include "envoy/network/address.h"
 
+#include "source/common/common/base_logger.h"
+#include "source/common/common/logger.h"
+#include "source/common/network/address_impl.h"
+
+#include "test/integration/base_integration_test.h"
 #include "test/test_common/environment.h"
+#include "test/test_common/network_utility.h"
 
 #include "tests/bpf_metadata.h"
 
diff --git a/tests/cilium_tcp_integration.h b/tests/cilium_tcp_integration.h
index f4051d848..bf1efdabb 100644
--- a/tests/cilium_tcp_integration.h
+++ b/tests/cilium_tcp_integration.h
@@ -1,6 +1,12 @@
 #pragma once
 
-#include "test/integration/integration.h"
+#include <gtest/gtest.h>
+
+#include <string>
+
+#include "envoy/network/address.h"
+
+#include "test/integration/base_integration_test.h"
 
 #include "tests/accesslog_server.h"
 
diff --git a/tests/cilium_tcp_integration_test.cc b/tests/cilium_tcp_integration_test.cc
index fc74fc0d8..24ca3817c 100644
--- a/tests/cilium_tcp_integration_test.cc
+++ b/tests/cilium_tcp_integration_test.cc
@@ -1,7 +1,20 @@
-#include "test/integration/integration.h"
-#include "test/integration/utility.h"
+#include <fmt/base.h>
+#include <fmt/format.h>
+#include <gtest/gtest-param-test.h>
+#include <gtest/gtest.h>
+
+#include <chrono>
+#include <cstdint>
+#include <cstring>
+#include <string>
+
+#include "test/integration/fake_upstream.h"
+#include "test/integration/integration_tcp_client.h"
 #include "test/test_common/environment.h"
+#include "test/test_common/utility.h"
 
+#include "absl/time/clock.h"
+#include "absl/time/time.h"
 #include "tests/cilium_tcp_integration.h"
 
 namespace Envoy {
diff --git a/tests/cilium_tls_http_integration_test.cc b/tests/cilium_tls_http_integration_test.cc
index c590c1457..39c530499 100644
--- a/tests/cilium_tls_http_integration_test.cc
+++ b/tests/cilium_tls_http_integration_test.cc
@@ -1,7 +1,27 @@
+#include <fmt/base.h>
+#include <fmt/format.h>
+#include <gtest/gtest-param-test.h>
+#include <gtest/gtest.h>
+
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "envoy/common/exception.h"
+#include "envoy/extensions/transport_sockets/tls/v3/tls.pb.h"
+#include "envoy/network/address.h"
+#include "envoy/network/connection.h"
+#include "envoy/network/transport_socket.h"
+
+#include "source/common/common/logger.h"
+#include "source/common/stats/isolated_store_impl.h"
 #include "source/common/tls/server_context_config_impl.h"
 #include "source/common/tls/server_ssl_socket.h"
 
+#include "test/integration/fake_upstream.h"
 #include "test/integration/ssl_utility.h"
+#include "test/test_common/environment.h"
+#include "test/test_common/utility.h"
 
 #include "tests/cilium_http_integration.h"
 #include "tests/cilium_tls_integration.h"
diff --git a/tests/cilium_tls_integration.cc b/tests/cilium_tls_integration.cc
index 683c02bca..f931087e0 100644
--- a/tests/cilium_tls_integration.cc
+++ b/tests/cilium_tls_integration.cc
@@ -1,16 +1,25 @@
 #include "tests/cilium_tls_integration.h"
 
+#include <gmock/gmock-actions.h>
+#include <gmock/gmock-spec-builders.h>
+
+#include <string>
+#include <utility>
+
 #include "envoy/api/api.h"
+#include "envoy/common/exception.h"
+#include "envoy/extensions/transport_sockets/tls/v3/tls.pb.h"
 #include "envoy/network/transport_socket.h"
+#include "envoy/ssl/context_manager.h"
 
 #include "source/common/tls/client_ssl_socket.h"
 #include "source/common/tls/context_config_impl.h"
 
 #include "test/integration/server.h"
+#include "test/mocks/server/admin.h"
 #include "test/mocks/server/transport_socket_factory_context.h"
 #include "test/test_common/environment.h"
-
-#include "gtest/gtest.h"
+#include "test/test_common/utility.h"
 
 namespace Envoy {
 namespace Cilium {
diff --git a/tests/cilium_tls_tcp_integration_test.cc b/tests/cilium_tls_tcp_integration_test.cc
index f1bbaabff..0a0c79fb1 100644
--- a/tests/cilium_tls_tcp_integration_test.cc
+++ b/tests/cilium_tls_tcp_integration_test.cc
@@ -1,7 +1,41 @@
+#include <fmt/base.h>
+#include <fmt/format.h>
+#include <gmock/gmock-cardinalities.h>
+#include <gmock/gmock-spec-builders.h>
+#include <gtest/gtest-param-test.h>
+#include <gtest/gtest.h>
+#include <unistd.h>
+
+#include <chrono>
+#include <cstdint>
+#include <functional>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "envoy/buffer/buffer.h"
+#include "envoy/common/exception.h"
+#include "envoy/event/dispatcher.h"
+#include "envoy/extensions/transport_sockets/tls/v3/tls.pb.h"
+#include "envoy/network/address.h"
+#include "envoy/network/connection.h"
+#include "envoy/network/transport_socket.h"
+
+#include "source/common/buffer/buffer_impl.h"
+#include "source/common/common/assert.h"
+#include "source/common/stats/isolated_store_impl.h"
 #include "source/common/tls/server_context_config_impl.h"
 #include "source/common/tls/server_ssl_socket.h"
 
+#include "test/integration/fake_upstream.h"
+#include "test/integration/integration_tcp_client.h"
 #include "test/integration/ssl_utility.h"
+#include "test/integration/utility.h"
+#include "test/mocks/buffer/mocks.h"
+#include "test/mocks/server/admin.h"
+#include "test/test_common/environment.h"
+#include "test/test_common/utility.h"
 
 #include "tests/cilium_tcp_integration.h"
 #include "tests/cilium_tls_integration.h"
diff --git a/tests/cilium_websocket_codec_integration_test.cc b/tests/cilium_websocket_codec_integration_test.cc
index d86ce96d3..b93f8702d 100644
--- a/tests/cilium_websocket_codec_integration_test.cc
+++ b/tests/cilium_websocket_codec_integration_test.cc
@@ -1,5 +1,16 @@
-#include "test/integration/integration.h"
+#include <fmt/base.h>
+#include <fmt/format.h>
+#include <gtest/gtest-param-test.h>
+#include <gtest/gtest.h>
+
+#include <chrono>
+#include <cstdint>
+#include <string>
+
+#include "test/integration/fake_upstream.h"
+#include "test/integration/integration_tcp_client.h"
 #include "test/test_common/environment.h"
+#include "test/test_common/utility.h"
 
 #include "tests/cilium_tcp_integration.h"
 
diff --git a/tests/cilium_websocket_decap_integration_test.cc b/tests/cilium_websocket_decap_integration_test.cc
index 0022715b4..cc04dba8f 100644
--- a/tests/cilium_websocket_decap_integration_test.cc
+++ b/tests/cilium_websocket_decap_integration_test.cc
@@ -1,8 +1,21 @@
-#include "source/common/config/decoded_resource_impl.h"
-#include "source/common/network/address_impl.h"
-#include "source/common/protobuf/protobuf.h"
-#include "source/common/thread_local/thread_local_impl.h"
+#include <fmt/base.h>
+#include <fmt/format.h>
+#include <gtest/gtest-param-test.h>
+#include <gtest/gtest.h>
 
+#include <cstddef>
+#include <string>
+
+#include "envoy/event/dispatcher.h"
+
+#include "source/common/buffer/buffer_impl.h"
+
+#include "test/integration/fake_upstream.h"
+#include "test/integration/integration_stream_decoder.h"
+#include "test/test_common/environment.h"
+#include "test/test_common/utility.h"
+
+#include "absl/strings/string_view.h"
 #include "tests/bpf_metadata.h" // host_map_config, original_dst_address
 #include "tests/cilium_http_integration.h"
 
@@ -276,7 +289,7 @@ TEST_P(CiliumWebSocketIntegrationTest, AcceptedWebSocket) {
 
   // Masked frames
   ASSERT_EQ(buf.length(), 0);
-  auto msg = "heello there\r\n"s;
+  auto msg = std::string{"heello there\r\n"};
   unsigned char mask[4] = {0x12, 0x34, 0x56, 0x78};
   auto masked = msg;
   for (size_t i = 0; i < msg.length(); i++) {
@@ -304,7 +317,7 @@ TEST_P(CiliumWebSocketIntegrationTest, AcceptedWebSocket) {
 
   // 2nd masked frame
   ASSERT_EQ(buf.length(), 0);
-  auto msg2 = "hello there\r\n"s;
+  auto msg2 = std::string{"hello there\r\n"};
   unsigned char mask2[4] = {0x90, 0xab, 0xcd, 0xef};
   auto masked2 = msg2;
   for (size_t i = 0; i < msg2.length(); i++) {
diff --git a/tests/cilium_websocket_encap_integration_test.cc b/tests/cilium_websocket_encap_integration_test.cc
index d858c0aa5..66debb308 100644
--- a/tests/cilium_websocket_encap_integration_test.cc
+++ b/tests/cilium_websocket_encap_integration_test.cc
@@ -1,6 +1,18 @@
-#include "test/integration/integration.h"
-#include "test/integration/utility.h"
+#include <fmt/base.h>
+#include <fmt/format.h>
+#include <gtest/gtest-param-test.h>
+#include <gtest/gtest.h>
+
+#include <chrono>
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <string>
+
+#include "test/integration/fake_upstream.h"
+#include "test/integration/integration_tcp_client.h"
 #include "test/test_common/environment.h"
+#include "test/test_common/utility.h"
 
 #include "cilium/websocket_protocol.h"
 #include "tests/bpf_metadata.h" // original_dst_address
@@ -379,7 +391,7 @@ TEST_P(CiliumWebSocketIntegrationTest, CiliumWebSocketLargeWrite) {
   ASSERT_EQ(received_data.substr(frame_offset, 16 * 1024), data.substr(16 * 1024, 16 * 1024));
 
   // writing data in one large chunk
-  ASSERT_TRUE(fake_upstream_connection->write("\x82\x7e\x80\x00"s));
+  ASSERT_TRUE(fake_upstream_connection->write(std::string{"\x82\x7e\x80\x00"}));
   ASSERT_TRUE(fake_upstream_connection->write(data));
   tcp_client->waitForData(data);
   tcp_client->close();
@@ -435,7 +447,7 @@ TEST_P(CiliumWebSocketIntegrationTest, CiliumWebSocketDownstreamFlush) {
 
   // writing data in one large chunk
 
-  ASSERT_TRUE(fake_upstream_connection->write("\x82\x7f\x03\x20\0\0"s));
+  ASSERT_TRUE(fake_upstream_connection->write(std::string{"\x82\x7f\x03\x20\0\0"}));
   ASSERT_TRUE(fake_upstream_connection->write(data, true));
 
   test_server_->waitForCounterGe("cluster.cluster1.upstream_flow_control_paused_reading_total", 1);
diff --git a/tests/health_check_sink_server.cc b/tests/health_check_sink_server.cc
index 2312c5cbd..d9b2070c0 100644
--- a/tests/health_check_sink_server.cc
+++ b/tests/health_check_sink_server.cc
@@ -1,13 +1,24 @@
 #include "tests/health_check_sink_server.h"
 
-#include <errno.h>
 #include <stdlib.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <unistd.h>
 
+#include <chrono>
+#include <functional>
 #include <string>
 
+#include "envoy/data/core/v3/health_check_event.pb.h"
+
+#include "source/common/common/logger.h"
+
+#include "absl/base/thread_annotations.h"
+#include "absl/synchronization/mutex.h"
+#include "absl/time/time.h"
+#include "absl/types/optional.h"
+#include "tests/uds_server.h"
+
 namespace Envoy {
 
 HealthCheckSinkServer::HealthCheckSinkServer(const std::string path)
diff --git a/tests/health_check_sink_server.h b/tests/health_check_sink_server.h
index 098577359..03226775e 100644
--- a/tests/health_check_sink_server.h
+++ b/tests/health_check_sink_server.h
@@ -1,18 +1,15 @@
 #pragma once
 
-#include <atomic>
 #include <chrono>
+#include <list>
 #include <string>
-#include <vector>
 
 #include "envoy/data/core/v3/health_check_event.pb.h"
-#include "envoy/data/core/v3/health_check_event.pb.validate.h"
-
-#include "source/common/common/logger.h"
-#include "source/common/common/thread.h"
+#include "envoy/data/core/v3/health_check_event.pb.validate.h" // IWYU pragma: keep
 
 #include "test/test_common/utility.h"
 
+#include "absl/base/thread_annotations.h"
 #include "absl/synchronization/mutex.h"
 #include "absl/types/optional.h"
 #include "tests/uds_server.h"
diff --git a/tests/health_check_sink_test.cc b/tests/health_check_sink_test.cc
index 44859eb16..58d5aa6f2 100644
--- a/tests/health_check_sink_test.cc
+++ b/tests/health_check_sink_test.cc
@@ -1,17 +1,21 @@
+#include <spdlog/common.h>
+
+#include <string>
+
+#include "envoy/data/core/v3/health_check_event.pb.h"
 #include "envoy/registry/registry.h"
+#include "envoy/upstream/health_check_event_sink.h"
 
+#include "source/common/common/base_logger.h"
 #include "source/common/common/logger.h"
-#include "source/common/protobuf/message_validator_impl.h"
+#include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
 
-#include "test/mocks/access_log/mocks.h"
-#include "test/mocks/event/mocks.h"
+#include "test/mocks/server/admin.h"
 #include "test/mocks/server/health_checker_factory_context.h"
 #include "test/test_common/utility.h"
 
 #include "cilium/api/health_check_sink.pb.h"
-#include "cilium/api/health_check_sink.pb.validate.h"
-#include "cilium/health_check_sink.h"
-#include "gmock/gmock.h"
+#include "cilium/api/health_check_sink.pb.validate.h" // IWYU pragma: keep
 #include "gtest/gtest.h"
 #include "tests/health_check_sink_server.h"
 
diff --git a/tests/metadata_config_test.cc b/tests/metadata_config_test.cc
index 62d48d558..6d57883e4 100644
--- a/tests/metadata_config_test.cc
+++ b/tests/metadata_config_test.cc
@@ -1,11 +1,41 @@
+#include <gmock/gmock-actions.h>
+#include <gmock/gmock-spec-builders.h>
+#include <spdlog/common.h>
+
+#include <cstdint>
+#include <list>
+#include <memory>
+#include <utility>
+#include <vector>
+
+#include "envoy/api/api.h"
+#include "envoy/common/exception.h"
+#include "envoy/filesystem/watcher.h"
+#include "envoy/init/target.h"
+#include "envoy/init/watcher.h"
+#include "envoy/network/address.h"
 #include "envoy/network/filter.h"
 #include "envoy/network/socket.h"
 
+#include "source/common/common/base_logger.h"
 #include "source/common/common/logger.h"
+#include "source/common/init/watcher_impl.h"
 #include "source/common/network/address_impl.h"
+#include "source/common/network/socket_impl.h"
+#include "source/common/stats/isolated_store_impl.h"
 
+#include "test/mocks/filesystem/mocks.h"
+#include "test/mocks/network/io_handle.h"
+#include "test/mocks/network/mocks.h"
 #include "test/mocks/server/listener_factory_context.h"
-
+#include "test/mocks/server/transport_socket_factory_context.h"
+#include "test/test_common/utility.h"
+
+#include "absl/status/status.h"
+#include "absl/strings/string_view.h"
+#include "cilium/api/bpf_metadata.pb.h"
+#include "cilium/bpf_metadata.h"
+#include "cilium/socket_option.h"
 #include "gtest/gtest.h"
 #include "tests/bpf_metadata.h"
 
diff --git a/tests/uds_server.cc b/tests/uds_server.cc
index 563fd24ee..aef8a4253 100644
--- a/tests/uds_server.cc
+++ b/tests/uds_server.cc
@@ -5,12 +5,15 @@
 #include <sys/un.h>
 #include <unistd.h>
 
+#include <functional>
+#include <memory>
 #include <string>
 
 #include "envoy/common/exception.h"
 
-#include "source/common/common/lock_guard.h"
+#include "source/common/common/logger.h"
 #include "source/common/common/utility.h"
+#include "source/common/network/address_impl.h"
 
 #include "test/test_common/thread_factory_for_test.h"
 
diff --git a/tests/uds_server.h b/tests/uds_server.h
index ef06beba4..8fb4bf043 100644
--- a/tests/uds_server.h
+++ b/tests/uds_server.h
@@ -1,10 +1,13 @@
 #pragma once
 
 #include <atomic>
+#include <functional>
+#include <memory>
 #include <string>
 
+#include "envoy/thread/thread.h"
+
 #include "source/common/common/logger.h"
-#include "source/common/common/thread.h"
 #include "source/common/network/address_impl.h"
 
 namespace Envoy {