Content-Security-Policy

HTTP response header

CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website

Header usage statistics

Content-Security-Policy response header information and usage statistics.

Websites using header Content-Security-Policy 4,277,617
Percentage of websites that use Content-Security-Policy header 4.32%
Total discovered header values 10,001
Header uses directives Yes
Header values are unique or random No
Most popular in the country United States of America

Content-Security-Policy Directives (29 total)

  • base-uri
  • block-all-mixed-content
  • child-src
  • connect-src
  • default-src
  • font-src
  • form-action
  • frame-ancestors
  • frame-src
  • img-src
  • manifest-src
  • media-src
  • object-src
  • plugin-types
  • prefetch-src
  • referrer
  • report-to
  • report-uri
  • require-sri-for
  • require-trusted-types-for
  • sandbox
  • script-src
  • script-src-attr
  • style-src
  • style-src-attr
  • style-src-elem
  • trusted-types
  • upgrade-insecure-requests
  • worker-src

Content-Security-Policy Directives

Content-Security-Policy directives value information and usage statistics

Directive Share Websites count Unique Values
upgrade-insecure-requests 46.84% 2,003,802 99
block-all-mixed-content 21.09% 902,176 55
frame-ancestors <0.1% 2,052 3
default-src <0.1% 1,620 8
base-uri <0.1% 353 2
sandbox <0.1% 248 2
report-uri <0.1% 242 6
object-src <0.1% 224 3
frame-src <0.1% 140 3
media-src <0.1% 127 2
child-src <0.1% 96 2
script-src <0.1% 66 4
worker-src <0.1% 65 3
plugin-types <0.1% 52 1
manifest-src <0.1% 43 1
report-to <0.1% 43 2
connect-src <0.1% 39 3
form-action <0.1% 38 3
prefetch-src <0.1% 24 1
style-src <0.1% 23 2
font-src <0.1% 19 1
trusted-types <0.1% 19 1
img-src <0.1% 18 2
require-sri-for <0.1% 12 1
script-src-attr <0.1% 10 1
require-trusted-types-for <0.1% 7 1
style-src-attr <0.1% 6 1
referrer <0.1% 3 1
style-src-elem <0.1% 2 1

Connected technologies

Technologies that utilize the header

PayPal, category Payment Processors, total 1,168,882 websites
Vimeo, category Video Players, total 1,064,247 websites
AddThis, category Widgets, total 767,910 websites
Tealium, category Tag Managers, total 47,653 websites
Drift, category Live Chat, total 41,327 websites
Afterpay, category Payment Processors, total 32,781 websites
Heap, category Analytics, total 15,214 websites
Contentful, category Content Management System, total 13,705 websites
Scene7, category Content Management System, total 4,745 websites

Distribution by websites popularity

Content-Security-Policy detection in the top websites by popularity

Top 10k sites 2,045 websites
Top 100k sites 14,558 websites
Top 1m sites 109,489 websites

Websites utilizing Content-Security-Policy

List of websites that use Content-Security-Policy header

Domain Country Rank Contacts
www.facebook.com Ireland 2
twitter.com United States of America 7
instagram.com United States of America 9
www.instagram.com Ireland 9
www.messenger.com Ireland 12
hugedomains.com United States of America 14
See full domain list
Flat price per the report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.






Common header values

List of top common Content-Security-Policy header values

Header value Value prevalence
frame-ancestors 'none'; 17.82%
upgrade-insecure-requests 16.31%
frame-ancestors 'self' 13.12%
frame-ancestors 'self' godaddy.com test-godaddy.com dev-godaddy.com *.godaddy.com *.test-godaddy.com *.dev-godaddy.com 8.07%
upgrade-insecure-requests; 6.97%
block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests; 3.74%
frame-ancestors https://*.ionos.com https://*.ionos.at https://*.ionos.co.uk https://*.ionos.de https://*.ionos.es https://*.ionos.fr https://*.ionos.it https://*.ionos.ca https://*.ionos.mx https://*.ionos.us https://*.website-editor.net https://*.mywebs 1.64%
report-to network-errors 1.30%
upgrade-insecure-requests; default-src https: data:; script-src https: data: 'unsafe-inline' 'unsafe-eval'; style-src https: blob: 'unsafe-inline'; 1.07%
frame-ancestors 'self'; 0.73%
default-src * data: blob: 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' *.jimdo.com jimdo.com; worker-src blob: 0.69%
frame-ancestors 'self' websitebuilder.godaddy.com websitebuilder.secureserver.net 0.60%
frame-ancestors 'none' 0.55%
frame-ancestors https://manage.menufy.com https://manager.menufy.com 0.50%
default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self' 0.47%
default-src * data: 'unsafe-eval' 'unsafe-inline' 0.46%
script-src 'self' 0.45%
block-all-mixed-content 0.42%
default-src https: data: 'unsafe-inline' 'unsafe-eval' 0.36%
frame-ancestors https://my.bigcartel.com; 0.33%