Client-side attack detection via simulation for detecting and mitigating cross-site script code client-side attacks is disclosed. A system can receive, through a network interface from a web server, a first response having a first payload that includes an action based on a request to the web server and a second response having a corresponding payload that is received concurrently with the first response on a signal path from the web server that is different from that of the first response. The system can invoke the action from the first payload and detect malicious activity in the invoked action. The system can verify the detecting of the malicious activity and issue a message indicating a security incident relating to the malicious activity. The system can either allow or restrict passage of the second response to a network based on a mode of the system when the malicious activity is verified.