{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T03:09:48Z","timestamp":1773803388276,"version":"3.50.1"},"reference-count":27,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T00:00:00Z","timestamp":1773792000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T00:00:00Z","timestamp":1773792000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Winthrop University"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["World Wide Web"],"published-print":{"date-parts":[[2026,6]]},"DOI":"10.1007\/s11280-026-01410-1","type":"journal-article","created":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T01:52:33Z","timestamp":1773798753000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["The Death of the X-XSS-Protection Header: A Web Security Post-Mortem"],"prefix":"10.1007","volume":"29","author":[{"given":"Andrew","family":"Besmer","sequence":"first","affiliation":[]},{"given":"Jason","family":"Watson","sequence":"additional","affiliation":[]},{"given":"David","family":"Scibelli","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,3,18]]},"reference":[{"issue":"11","key":"1410_CR1","doi-asserted-by":"publisher","first-page":"12725","DOI":"10.1007\/s10462-023-10433-3","volume":"56","author":"J Kaur","year":"2023","unstructured":"Kaur, J., Garg, U., Bathla, G.: Detection of cross-site scripting (XSS) attacks using machine learning techniques: a review. Artif. Intell. Rev. 56(11), 12725\u201312769 (2023). https:\/\/doi.org\/10.1007\/s10462-023-10433-3","journal-title":"Artif. Intell. Rev."},{"key":"1410_CR2","unstructured":"The OWASP Foundation: OWASP Top Ten 2017 (2017). https:\/\/owasp.org\/www-project-top-ten\/2017\/Top_10.html Accessed 2025\u201305-17"},{"key":"1410_CR3","unstructured":"The OWASP Foundation: OWASP Top 10 2021 (2021). https:\/\/owasp.org\/Top10\/ Accessed 2025\u201305-17"},{"key":"1410_CR4","doi-asserted-by":"publisher","unstructured":"Babaey, V., Ravindran, A.: GenXSS: an AI-Driven Framework for Automated Detection of XSS Attacks in WAFs. In: SoutheastCon 2025, pp. 1519\u20131524 (2025). https:\/\/doi.org\/10.1109\/SoutheastCon56624.2025.10971558. ISSN: 1558-058X","DOI":"10.1109\/SoutheastCon56624.2025.10971558"},{"issue":"6","key":"1410_CR5","doi-asserted-by":"publisher","first-page":"1174","DOI":"10.3390\/electronics14061174","volume":"14","author":"Z Hu","year":"2025","unstructured":"Hu, Z., Zhang, J., Yang, H.: XSS Attack Detection Based on Multisource Semantic Feature Fusion. Electronics 14(6), 1174 (2025). https:\/\/doi.org\/10.3390\/electronics14061174","journal-title":"Electronics"},{"key":"1410_CR6","doi-asserted-by":"publisher","DOI":"10.1007\/s13369-024-09916-4","author":"R Bak\u0131r","year":"2025","unstructured":"Bak\u0131r, R.: UniEmbed: A Novel Approach to Detect XSS and SQL Injection Attacks Leveraging Multiple Feature Fusion with Machine Learning Techniques. Arab. J. Sci. Eng. (2025). https:\/\/doi.org\/10.1007\/s13369-024-09916-4","journal-title":"Arab. J. Sci. Eng."},{"key":"1410_CR7","unstructured":"Mitre: CAPEC List Version 3.9 Now Available (2023). https:\/\/capec.mitre.org\/news\/index.html#january_24_2023_CAPEC_List_Version_3.9_Now_Available Accessed 2025\u201305-17"},{"issue":"2","key":"1410_CR8","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1007\/s10207-021-00548-5","volume":"21","author":"F Tommasi","year":"2022","unstructured":"Tommasi, F., Catalano, C., Taurino, I.: Browser-in-the-Middle (BitM) attack. Int. J. Inf. Secur. 21(2), 179\u2013189 (2022). https:\/\/doi.org\/10.1007\/s10207-021-00548-5","journal-title":"Int. J. Inf. Secur."},{"key":"1410_CR9","doi-asserted-by":"publisher","unstructured":"Wu, D., Xu, Z., Chen, B., Zhang, Y.: What If Routers Are Malicious? Mitigating Content Poisoning Attack in NDN. In: 2016 IEEE Trustcom\/BigDataSE\/ISPA, pp. 481\u2013488 (2016). https:\/\/doi.org\/10.1109\/TrustCom.2016.0100. ISSN: 2324-9013","DOI":"10.1109\/TrustCom.2016.0100"},{"key":"1410_CR10","doi-asserted-by":"publisher","unstructured":"Sguigna, A.: Mitigating JTAG as an Attack Surface. In: 2019 IEEE AUTOTESTCON, pp. 1\u20137 (2019). https:\/\/doi.org\/10.1109\/AUTOTESTCON43700.2019.8961076. ISSN: 1558-4550","DOI":"10.1109\/AUTOTESTCON43700.2019.8961076"},{"key":"1410_CR11","doi-asserted-by":"crossref","unstructured":"Kondo, D., Silverston, T., Tode, H., Asami, T., Perrin, O.: Risk analysis of information-leakage through interest packets in NDN. In: INFOCOM WKSHPS 2017 - IEEE International Conference on Computer Communications, Atlanta, United States (2017)","DOI":"10.1109\/INFCOMW.2017.8116403"},{"key":"1410_CR12","doi-asserted-by":"publisher","first-page":"153","DOI":"10.1016\/j.ins.2019.01.064","volume":"484","author":"KL Chiew","year":"2019","unstructured":"Chiew, K.L., Tan, C.L., Wong, K., Yong, K.S.C., Tiong, W.K.: A new hybrid ensemble feature selection framework for machine learning-based phishing detection system. Inf. Sci. 484, 153\u2013166 (2019). https:\/\/doi.org\/10.1016\/j.ins.2019.01.064","journal-title":"Inf. Sci."},{"key":"1410_CR13","doi-asserted-by":"publisher","unstructured":"Tharani, J.S., Arachchilage, N.A.G.: Understanding phishers\u2019 strategies of mimicking uniform resource locators to leverage phishing attacks: A machine learning approach. SECURITY AND PRIVACY 3(5), 120 (2020). https:\/\/doi.org\/10.1002\/spy2.120. _eprint: https:\/\/onlinelibrary.wiley.com\/doi\/pdf\/10.1002\/spy2.120","DOI":"10.1002\/spy2.120"},{"key":"1410_CR14","doi-asserted-by":"publisher","unstructured":"Baack, S.: A Critical Analysis of the Largest Source for Generative AI Training Data: Common Crawl. In: Proceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency. FAccT \u201924, pp. 2199\u20132208. Association for Computing Machinery, New York, NY, USA (2024). https:\/\/doi.org\/10.1145\/3630106.3659033","DOI":"10.1145\/3630106.3659033"},{"issue":"4","key":"1410_CR15","doi-asserted-by":"publisher","first-page":"0302197","DOI":"10.1371\/journal.pone.0302197","volume":"19","author":"AD Berenguer","year":"2024","unstructured":"Berenguer, A.D., Da, Y., Bossa, M.N., Oveneke, M.C., Sahli, H.: Causality-driven multivariate stock movement forecasting. PLoS ONE 19(4), 0302197 (2024). https:\/\/doi.org\/10.1371\/journal.pone.0302197","journal-title":"PLoS ONE"},{"key":"1410_CR16","doi-asserted-by":"publisher","unstructured":"Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, Vienna Austria (2016). https:\/\/doi.org\/10.1145\/2976749.2978363","DOI":"10.1145\/2976749.2978363"},{"key":"1410_CR17","doi-asserted-by":"publisher","unstructured":"Weissbacher, M., Lauinger, T., Robertson, W.: Why Is CSP Failing? Trends and Challenges in CSP Adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) Research in Attacks, Intrusions and Defenses (RAID 2014), pp. 212\u2013233. Springer, Cham (2014). https:\/\/doi.org\/10.1007\/978-3-319-11379-1_11","DOI":"10.1007\/978-3-319-11379-1_11"},{"key":"1410_CR18","doi-asserted-by":"publisher","unstructured":"Lavrenovs, A., Mel\u00f3n, F.J.R.: HTTP security headers analysis of top one million websites. In: 2018 10th International Conference on Cyber Conflict (CyCon), pp. 345\u2013370 (2018). https:\/\/doi.org\/10.23919\/CYCON.2018.8405025. ISSN: 2325-5374","DOI":"10.23919\/CYCON.2018.8405025."},{"key":"1410_CR19","doi-asserted-by":"publisher","unstructured":"Luo, M., Laperdrix, P., Honarmand, N., Nikiforakis, N.: Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers. In: Proceedings 2019 Network and Distributed System Security Symposium. Internet Society, San Diego, CA (2019). https:\/\/doi.org\/10.14722\/ndss.2019.23149","DOI":"10.14722\/ndss.2019.23149"},{"key":"1410_CR20","doi-asserted-by":"publisher","unstructured":"Melicher, W., Fung, C., Bauer, L., Jia, L.: Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning. In: Proceedings of the Web Conference 2021, pp. 2684\u20132695. ACM, Ljubljana Slovenia (2021). https:\/\/doi.org\/10.1145\/3442381.3450062","DOI":"10.1145\/3442381.3450062"},{"key":"1410_CR21","doi-asserted-by":"publisher","unstructured":"Fang, Y., Li, Y., Liu, L., Huang, C.: DeepXSS: Cross Site Scripting Detection Based on Deep Learning. In: Proceedings of the 2018 International Conference on Computing and Artificial Intelligence. ICCAI \u201918, pp. 47\u201351. Association for Computing Machinery, New York, NY, USA (2018). https:\/\/doi.org\/10.1145\/3194452.3194469","DOI":"10.1145\/3194452.3194469"},{"issue":"2","key":"1410_CR22","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1145\/2619091","volume":"32","author":"W Enck","year":"2014","unstructured":"Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. ACM Transactions on Computer Systems (TOCS) 32(2), 5\u20131529 (2014). https:\/\/doi.org\/10.1145\/2619091","journal-title":"ACM Transactions on Computer Systems (TOCS)"},{"key":"1410_CR23","doi-asserted-by":"publisher","unstructured":"Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security - CCS \u201913, pp. 1193\u20131204. ACM Press, Berlin, Germany (2013). https:\/\/doi.org\/10.1145\/2508859.2516703","DOI":"10.1145\/2508859.2516703"},{"key":"1410_CR24","doi-asserted-by":"publisher","unstructured":"Som\u00e9, D.F.: MatriXSSed: A New Taxonomy for XSS in the Modern Web. In: Proceedings of the ACM on Web Conference 2025, pp. 4662\u20134672. ACM, Sydney NSW Australia (2025). https:\/\/doi.org\/10.1145\/3696410.3714774","DOI":"10.1145\/3696410.3714774"},{"key":"1410_CR25","doi-asserted-by":"publisher","unstructured":"Kishnani, U., Das, S.: Securing the Web: Analysis of HTTP Security Headers in Popular Global Websites. In: Patil, V.T., Krishnan, R., Shyamasundar, R.K. (eds.) Information Systems Security, pp. 87\u2013106. Springer, Cham (2025). https:\/\/doi.org\/10.1007\/978-3-031-80020-7_5","DOI":"10.1007\/978-3-031-80020-7_5"},{"key":"1410_CR26","doi-asserted-by":"publisher","unstructured":"Fielding, R.T., Reschke, J.: Hypertext Transfer Protocol (HTTP\/1.1): Message Syntax and Routing. Request for Comments RFC 7230, Internet Engineering Task Force (June 2014). https:\/\/doi.org\/10.17487\/RFC7230 Num Pages: 89","DOI":"10.17487\/RFC7230"},{"key":"1410_CR27","unstructured":"Ashiq, M.I., Li, W., Fiebig, T., Chung, T.: You\u2019ve Got Report: Measurement and Security Implications of DMARC Reporting. In: 32nd USENIX Security Symposium (USENIX Security 23), pp. 4123\u20134137 (2023)"}],"container-title":["World Wide Web"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11280-026-01410-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11280-026-01410-1","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11280-026-01410-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T01:52:34Z","timestamp":1773798754000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11280-026-01410-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,18]]},"references-count":27,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2026,6]]}},"alternative-id":["1410"],"URL":"https:\/\/doi.org\/10.1007\/s11280-026-01410-1","relation":{},"ISSN":["1386-145X","1573-1413"],"issn-type":[{"value":"1386-145X","type":"print"},{"value":"1573-1413","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,18]]},"assertion":[{"value":"10 September 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"11 February 2026","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"2 March 2026","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"18 March 2026","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"Not Applicable","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical Approval"}},{"value":"The authors declare no competing interests.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing Interests"}}],"article-number":"23"}}