Software Testing at the Network Layer: Automated HTTP API Quality Assessment and Security Analysis of Production Web Applications

Modern web applications rely heavily on client-side API calls to fetch data, render content, and communicate with backend services. However, the quality of these network interactions (redundant requests, missing cache headers, oversized payloads, and excessive third-party dependencies) is rarely tested in a systematic way. Moreover, many of these quality deficiencies carry security implications: missing cache headers enable cache poisoning, excessive third-party dependencies expand the supply-chain attack surface, and error responses risk leaking server internals. In this study, we present an automated software testing framework that captures and analyzes the complete HTTP traffic of 18 production websites spanning 11 categories (e-commerce, news, government, developer tools, travel, and more). Using automated browser instrumentation via Playwright, we record 108 HAR (HTTP Archive) files across 3 independent runs per page, then apply 8 heuristic-based anti-pattern detectors to produce a composite quality score (0-100) for each site. Our results reveal a wide quality spectrum: minimalist server-rendered sites achieve perfect scores of 100, while content-heavy commercial sites score as low as 56.8. We identify redundant API calls and missing cache headers as the two most pervasive anti-patterns, each affecting 67% of sites, while third-party overhead exceeds 20% on 72% of sites. One utility site makes 2,684 requests per page load, which is 447x more than the most minimal site. To protect site reputations, all identities are anonymized using category-based pseudonyms. We provide all analysis scripts, anonymized results, and reproducibility instructions as an open artifact. This work establishes an empirical baseline for HTTP API call quality across the modern web and offers a reproducible testing framework that researchers and practitioners can apply to their own applications.

💡 Research Summary

The paper addresses a gap in current web‑application testing: systematic assessment of the quality and security of HTTP API calls that occur at the network layer. While prior work has focused on UI‑level functional testing, API specification compliance, or page‑load performance metrics, none have examined the runtime behavior of client‑side API traffic in production sites. To fill this gap, the authors formulate two research questions: (RQ1) How good are the HTTP API call patterns of popular production websites? (RQ2) What are the quality and security implications of the observed anti‑patterns?

Methodologically, the study proceeds in three phases. In the “Capture” phase, Playwright—a modern browser‑automation framework—is used to visit 18 real‑world websites spanning 11 categories (e‑commerce, news, government, developer tools, travel, etc.). For each site, two representative pages (typically the home page and a secondary page) are loaded three independent times, yielding a total of 108 HAR (HTTP Archive) files. The multi‑run design mitigates nondeterminism caused by asynchronous JavaScript execution and ensures that the captured traffic is representative.

In the “Analyze” phase, the authors develop eight heuristic anti‑pattern detectors that operate directly on the HAR data: (1) redundant API calls, (2) N+1 query patterns, (3) missing cache‑control headers, (4) oversized payloads, (5) missing compression, (6) excessive third‑party overhead, (7) sequential waterfall calls, and (8) error‑response information leakage. Each detector inspects request URLs, methods, response headers, body sizes, and timing information, applying rule‑based thresholds (e.g., three identical requests within 200 ms constitute redundancy; any missing of Cache‑Control, ETag, or Expires flags a cache‑header violation).

The “Score” phase aggregates the eight dimensions into a weighted composite quality score ranging from 0 to 100, where 100 indicates no detected anti‑patterns. Weights are chosen to reflect security severity: missing cache headers and error‑response leaks receive higher penalties than, for example, missing compression.

Results reveal a wide quality spectrum. Minimalist, server‑rendered sites achieve perfect scores of 100, while content‑heavy commercial sites score as low as 56.8. The most problematic anti‑patterns are redundant calls and missing cache headers, each present in 67 % of the sites. Excessive third‑party traffic (>20 % of total requests) appears in 72 % of the sample. One utility site generates 2,684 requests per page load—447 × more than the leanest site—illustrating how modern SPAs and third‑party analytics can bloat network traffic.

From a security perspective, the authors map each anti‑pattern to concrete risks: missing cache headers enable cache‑poisoning attacks; oversized payloads increase the attack surface for data leakage; third‑party dependencies expand the supply‑chain attack surface; and error responses that expose stack traces or server versions facilitate targeted exploitation.

The study places a strong emphasis on reproducibility. All scripts (Playwright capture, HAR parsing, anti‑pattern detection, scoring) are released as open‑source artifacts, and site identities are anonymized using category‑based pseudonyms. Detailed documentation of browser versions, network conditions, and capture parameters is provided, allowing other researchers to replicate or extend the methodology.

In conclusion, the paper contributes a novel, automated framework for evaluating HTTP API quality and associated security risks at the network layer. By combining multi‑run browser instrumentation, heuristic anti‑pattern detection, and a weighted scoring rubric, the authors deliver a practical tool that can be integrated into CI/CD pipelines for continuous monitoring. The work establishes an empirical baseline for API call quality across the modern web and opens avenues for future research, such as refining detectors with machine‑learning techniques, longitudinal tracking of quality trends, and expanding the framework to cover emerging protocols like HTTP/3 and GraphQL.