Content-Security-Policy

HTTP response header

CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website

Header usage statistics

Content-Security-Policy response header information and usage statistics.

Websites using header Content-Security-Policy4,683,798
Percentage of websites that use Content-Security-Policy header4.71%
Total discovered header valuesMore than 10,000
Header uses directivesYes
Header values are unique or randomNo
Most popular in the country US

Content-Security-Policy directives (29 total)

  • base-uri
  • block-all-mixed-content
  • child-src
  • connect-src
  • default-src
  • font-src
  • form-action
  • frame-ancestors
  • frame-src
  • img-src
  • manifest-src
  • media-src
  • object-src
  • plugin-types
  • prefetch-src
  • referrer
  • report-to
  • report-uri
  • require-sri-for
  • require-trusted-types-for
  • sandbox
  • script-src
  • script-src-attr
  • style-src
  • style-src-attr
  • style-src-elem
  • trusted-types
  • upgrade-insecure-requests
  • worker-src

Content-Security-Policy Directives

Content-Security-Policy directives value information and usage statistics

DirectiveShareWebsites countUnique Values
upgrade-insecure-requests46.41%2,173,74066
block-all-mixed-content18.68%874,93038
frame-ancestors<0.1%2,2094
default-src<0.1%1,5917
base-uri<0.1%3232
report-uri<0.1%2994
sandbox<0.1%2382
object-src<0.1%2313
media-src<0.1%1461
frame-src<0.1%1393
child-src<0.1%1043
script-src<0.1%752
worker-src<0.1%692
img-src<0.1%502
manifest-src<0.1%431
report-to<0.1%412
connect-src<0.1%372
form-action<0.1%372
plugin-types<0.1%361
style-src<0.1%272
trusted-types<0.1%271
font-src<0.1%231
prefetch-src<0.1%231
require-sri-for<0.1%131
require-trusted-types-for<0.1%71
script-src-attr<0.1%61
referrer<0.1%51
style-src-attr<0.1%41
style-src-elem<0.1%21

Connected technologies

Technologies that utilize the header

PayPal, category Payment, total 1,213,472 websites
AddThis, category Widgets, total 646,153 websites
Tealium, category Tag Managers, total 43,590 websites
Algolia, category Widgets, total 37,228 websites
Afterpay, category Buy now pay later, total 35,778 websites
Heap, category Analytics, total 27,538 websites
Drift, category Live Chat, total 20,790 websites
Contentful, category Content Management System, total 14,905 websites
RapidSec, category Security Solutions, total 254 websites
Acquia Content Hub, category Miscellaneous, total 2 websites

Distribution by websites popularity

Content-Security-Policy detection in the top websites by popularity

Top 10k sites2,222 websites
Top 100k sites16,454 websites
Top 1m sites124,289 websites

Websites utilizing Content-Security-Policy

List of websites that use Content-Security-Policy header

DomainCountryRankContacts
www.facebook.com US2
twitter.com US7
instagram.com US9
www.instagram.com US9
developers.google.com US11
www.messenger.com US12
See full domain list
Flat price per the report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.






Common header values

List of top common Content-Security-Policy header values

Header valueValue prevalence
upgrade-insecure-requests18.54%
block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests;17.06%
frame-ancestors 'self'12.82%
upgrade-insecure-requests;7.44%
frame-ancestors 'self' godaddy.com test-godaddy.com dev-godaddy.com *.godaddy.com *.test-godaddy.com *.dev-godaddy.com6.81%
frame-ancestors 'none';2.33%
frame-ancestors https://*.ionos.com https://*.ionos.at https://*.ionos.co.uk https://*.ionos.de https://*.ionos.es https://*.ionos.fr https://*.ionos.it https://*.ionos.ca https://*.ionos.mx https://*.ionos.us https://*.website-editor.net https://*.mywebs1.49%
report-to network-errors1.32%
frame-ancestors 'self';1.32%
upgrade-insecure-requests; default-src https: data:; script-src https: data: 'unsafe-inline' 'unsafe-eval'; style-src https: blob: 'unsafe-inline';0.89%
default-src * data: blob: 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' *.jimdo.com jimdo.com; worker-src blob:0.60%
frame-ancestors 'none'0.58%
frame-ancestors 'self' websitebuilder.godaddy.com websitebuilder.secureserver.net0.49%
block-all-mixed-content0.47%
default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'0.45%
script-src 'self'0.44%
frame-ancestors https://manage.menufy.com https://manager.menufy.com0.42%
default-src * data: 'unsafe-eval' 'unsafe-inline'0.35%
default-src https: data: 'unsafe-inline' 'unsafe-eval'0.35%
default-src 'self' 'unsafe-inline'0.30%