CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website
| Websites using header content-security-policy | 5,182,073 |
| Percentage of websites that use content-security-policy header | 6.41% |
| Total discovered header values | More than 10,000 |
| Header uses directives | Yes |
| Header values are unique or random | No |
| Most popular in the country |  United States |
| Directive | Share | Websites count | Unique Values |
|---|---|---|---|
| upgrade-insecure-requests | 47.95% | 2,484,636 | 110 |
| block-all-mixed-content | 16.59% | 859,703 | 32 |
| frame-ancestors | <0.1% | 1,666 | 5 |
| default-src | <0.1% | 1,565 | 8 |
| report-uri | <0.1% | 758 | 4 |
| sandbox | <0.1% | 515 | 2 |
| object-src | <0.1% | 318 | 4 |
| base-uri | <0.1% | 267 | 2 |
| media-src | <0.1% | 211 | 2 |
| child-src | <0.1% | 153 | 2 |
| frame-src | <0.1% | 149 | 2 |
| script-src | <0.1% | 96 | 3 |
| worker-src | <0.1% | 71 | 2 |
| form-action | <0.1% | 53 | 2 |
| report-to | <0.1% | 41 | 2 |
| connect-src | <0.1% | 39 | 2 |
| font-src | <0.1% | 36 | 2 |
| style-src | <0.1% | 34 | 2 |
| manifest-src | <0.1% | 32 | 1 |
| img-src | <0.1% | 27 | 1 |
| trusted-types | <0.1% | 25 | 3 |
| plugin-types | <0.1% | 19 | 1 |
| prefetch-src | <0.1% | 17 | 1 |
| require-trusted-types-for | <0.1% | 8 | 1 |
| require-sri-for | <0.1% | 7 | 1 |
| script-src-attr | <0.1% | 6 | 1 |
| referrer | <0.1% | 5 | 1 |
| style-src-attr | <0.1% | 1 | 1 |
 Amazon S3, category Content Delivery Networks, total 1,234,610 websites |
 AddThis, category Widgets, total 509,653 websites |
 Afterpay, category Payment Processors, total 38,379 websites |
 Algolia, category Widgets, total 35,679 websites |
 Albacross, category Advertising, total 6,747 websites |
 Amazon Cognito, category Social login, total 1,056 websites |
 Acquia Content Hub, category Miscellaneous, total 3 websites |
| Domain | Country | Rank | Contacts |
|---|---|---|---|
| United States | 2 | ||
| United States | 3 | ||
| United States | 7 | ||
 www.instagram.com | United States | 9 | |
| United States | 11 | ||
| United States | 12 |
| Header value | Value prevalence |
|---|---|
| upgrade-insecure-requests | 22.60% |
| block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests; | 14.12% |
| frame-ancestors 'self' | 12.63% |
| upgrade-insecure-requests; | 7.04% |
| frame-ancestors 'self' godaddy.com *.godaddy.com | 6.01% |
| frame-ancestors 'self'; | 1.78% |
| frame-ancestors 'none'; | 1.49% |
| frame-ancestors https://*.ionos.com https://*.ionos.at https://*.ionos.co.uk https://*.ionos.de https://*.ionos.es https://*.ionos.fr https://*.ionos.it https://*.ionos.ca https://*.ionos.mx https://*.ionos.us https://*.website-editor.net https://*.mywebs | 1.16% |
| block-all-mixed-content | 0.68% |
| upgrade-insecure-requests; default-src https: data:; script-src https: data: 'unsafe-inline' 'unsafe-eval'; style-src https: blob: 'unsafe-inline'; | 0.65% |
| frame-ancestors 'none' | 0.58% |
| default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self' | 0.48% |
| script-src 'self' | 0.41% |
| default-src * 'unsafe-inline' 'unsafe-eval' data: blob:; | 0.39% |
| frame-ancestors 'self' websitebuilder.godaddy.com websitebuilder.secureserver.net | 0.38% |
| default-src 'self' 'unsafe-inline' | 0.38% |
| object-src 'none' | 0.37% |
| default-src https: data: 'unsafe-inline' 'unsafe-eval' | 0.32% |
| default-src 'self'; script-src 'self' 'unsafe-eval' https://challenges.cloudflare.com https://iframe.jimcdn.com https://googleads.g.doubleclick.net https://www.paypal.com https://js.stripe.com https://jimdo-dolphin-static-assets-prod.freetls.fastly.net ht | 0.31% |
| frame-ancestors https://manage.menufy.com https://manager.menufy.com | 0.29% |