🤖 AI Summary
This study addresses the security risks in modern web applications—such as cache poisoning and supply chain attacks—stemming from redundant HTTP API requests, missing cache headers, high load, and excessive reliance on third-party services, for which systematic evaluation methods are lacking. The authors present the first empirical baseline of HTTP API quality across diverse production websites, collecting 108 HAR traces from 18 sites using Playwright automation. They design eight heuristic-based anti-pattern detectors to quantify API quality on a 0–100 scale and correlate it with security implications. Findings reveal that minimal server-rendered sites achieve a perfect score of 100, while content-heavy commercial sites score as low as 56.8; 67% of sites exhibit redundant requests or cache misconfigurations, and 72% have over 20% third-party requests, with one page issuing up to 2,684 such calls. The open-sourced framework enables reproducible, systematic linkage between performance anti-patterns and security risks.
📝 Abstract
Modern web applications rely heavily on client-side API calls to fetch data, render content, and communicate with backend services. However, the quality of these network interactions (redundant requests, missing cache headers, oversized payloads, and excessive third-party dependencies) is rarely tested in a systematic way. Moreover, many of these quality deficiencies carry security implications: missing cache headers enable cache poisoning, excessive third-party dependencies expand the supply-chain attack surface, and error responses risk leaking server internals. In this study, we present an automated software testing framework that captures and analyzes the complete HTTP traffic of 18 production websites spanning 11 categories (e-commerce, news, government, developer tools, travel, and more). Using automated browser instrumentation via Playwright, we record 108 HAR (HTTP Archive) files across 3 independent runs per page, then apply 8 heuristic-based anti-pattern detectors to produce a composite quality score (0-100) for each site. Our results reveal a wide quality spectrum: minimalist server-rendered sites achieve perfect scores of 100, while content-heavy commercial sites score as low as 56.8. We identify redundant API calls and missing cache headers as the two most pervasive anti-patterns, each affecting 67% of sites, while third-party overhead exceeds 20% on 72% of sites. One utility site makes 2,684 requests per page load, which is 447x more than the most minimal site. To protect site reputations, all identities are anonymized using category-based pseudonyms. We provide all analysis scripts, anonymized results, and reproducibility instructions as an open artifact. This work establishes an empirical baseline for HTTP API call quality across the modern web and offers a reproducible testing framework that researchers and practitioners can apply to their own applications.