{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T14:24:43Z","timestamp":1774448683405,"version":"3.50.1"},"reference-count":39,"publisher":"IEEE","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018,5]]},"DOI":"10.23919\/cycon.2018.8405025","type":"proceedings-article","created":{"date-parts":[[2018,7,9]],"date-time":"2018-07-09T19:16:45Z","timestamp":1531163805000},"page":"345-370","source":"Crossref","is-referenced-by-count":30,"title":["HTTP security headers analysis of top one million websites"],"prefix":"10.23919","author":[{"given":"Arturs","family":"Lavrenovs","sequence":"first","affiliation":[]},{"given":"F. Jesus Rubio","family":"Melon","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1002\/sec.1649"},{"key":"ref38","article-title":"Subresource Integrity","year":"2016","journal-title":"W3C Recommendation"},{"key":"ref33","article-title":"Content Security Policy 1.0","year":"0","journal-title":"(CSPl) W3C Working Group Note 19 February 2015 discontinued"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11379-1_11"},{"key":"ref31","year":"0","journal-title":"Usage of HTTP\/2 for websites W3Techs"},{"key":"ref30","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1016\/S1361-3723(11)70073-2","article-title":"The state of HTTP declarative security in online banking websites","volume":"2011","year":"2011","journal-title":"Computer Fraud & Security"},{"key":"ref37","article-title":"Referrer Policy","year":"2017","journal-title":"W3C Candidate Recommendation"},{"key":"ref36","article-title":"Good Practices for Capability URLs","year":"2014","journal-title":"W3C First Public Working Draft"},{"key":"ref35","article-title":"Content Security Policy Level 3","year":"2016","journal-title":"(CSP3) W3C Working Draft"},{"key":"ref34","article-title":"Content Security Policy Level 2","year":"2016","journal-title":"(CSP2) W3C Recommendation"},{"key":"ref10","article-title":"HTTP State Management Mechanism","year":"2011","journal-title":"IETF Standard RFC 6265"},{"key":"ref11","article-title":"HTTP Strict Transport Security (HSTS)","year":"2012","journal-title":"IETF Standard RFC 6797"},{"key":"ref12","article-title":"Hypertext Transfer Protocol (HTTP\/1.1): Semantics and Content","year":"2014","journal-title":"IETF Standard RFC 7231"},{"key":"ref13","article-title":"Public Key Pinning Extension for HTTP","year":"2015","journal-title":"IETF Standard RFC 7469"},{"key":"ref14","article-title":"Same-Site Cookies","year":"2016","journal-title":"IETF Internet-Draft Standard"},{"key":"ref15","author":"king","year":"2017","journal-title":"Analysis of the Alexa Top 1M sites (June 2017)"},{"key":"ref16","year":"0","journal-title":"Let's encrypt - free ssl\/tls certificates"},{"key":"ref17","year":"0"},{"key":"ref18","year":"0","journal-title":"Mozilla HTTP Observatory Website"},{"key":"ref19","year":"0","journal-title":"Mozilla Included CA Certificate List"},{"key":"ref28","article-title":"Busting Frame Busting: a Study of Clickjacking Vulnerabilities at Popular Sites","author":"rydstedt","year":"0","journal-title":"IEEE Oakland Web 2 0 Security and Privacy (W2SP 2010)"},{"key":"ref4","article-title":"I am giving up on HPKP","author":"helme","year":"2017","journal-title":"Blog Post"},{"key":"ref27","article-title":"Is HTTP Public Key Pinning dead?","author":"ristic","year":"2016","journal-title":"Blog Post"},{"key":"ref3","year":"0","journal-title":"Cisco Umbrella 1 Million"},{"key":"ref6","author":"helme","year":"0","journal-title":"Daily scans of the top one million sites"},{"key":"ref29","year":"0","journal-title":"[IO] Security Headers Website"},{"key":"ref5","article-title":"Alexa Top 1 Million Analysis - August 2017","author":"helme","year":"2017","journal-title":"Blog Post"},{"key":"ref8","year":"0","journal-title":"Http\/2"},{"key":"ref7","year":"0","journal-title":"Httprint web server fingerprinting tool"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3038912.3052698"},{"key":"ref9","article-title":"HTTP Header Field X-Frame-Options","year":"2013","journal-title":"IETF Informational RFC 7034"},{"key":"ref1","year":"0","journal-title":"Alexa's Top One Million Websites"},{"key":"ref20","year":"0","journal-title":"Mozilla Intermediate Certificates"},{"key":"ref22","year":"0","journal-title":"NMap"},{"key":"ref21","year":"0","journal-title":"Netcraft Site Report"},{"key":"ref24","article-title":"Intent to deprecate and remove HPKP","author":"palmer","year":"2017","journal-title":"forum post"},{"key":"ref23","year":"0","journal-title":"OWASP Clickjacking Defence Cheat Sheet"},{"key":"ref26","year":"0","journal-title":"Requests HTTP for humans v2 18 4 Python library"},{"key":"ref25","article-title":"Using logs to investigate a web application attack","author":"prodromou","year":"2016","journal-title":"Blog Post"}],"event":{"name":"2018 10th International Conference on Cyber Conflict (CyCon)","location":"Tallinn","start":{"date-parts":[[2018,5,29]]},"end":{"date-parts":[[2018,6,1]]}},"container-title":["2018 10th International Conference on Cyber Conflict (CyCon)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/8399711\/8405000\/08405025.pdf?arnumber=8405025","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2018,7,31]],"date-time":"2018-07-31T03:56:53Z","timestamp":1533009413000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/8405025\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,5]]},"references-count":39,"URL":"https:\/\/doi.org\/10.23919\/cycon.2018.8405025","relation":{},"subject":[],"published":{"date-parts":[[2018,5]]}}}