Content-Security-Policy HTTP response header

Content-Security-Policy

HTTP response header

CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website

Content-Security-Policy response header information and usage statistics.


Websites using header Content-Security-Policy	755,119
Percentage of websites that use Content-Security-Policy header	6.95%
Total discovered header values	219,167
Header uses directives	Yes
Header values are unique or random	No
Most popular in the country	United States of America

Content-Security-Policy directives value information and usage statistics

Directive	Share	Websites count	Unique Values
upgrade-insecure-requests	30.17%	227,851	72
block-all-mixed-content	12.71%	95,958	44
default-src	<0.1%	658	8
frame-ancestors	<0.1%	278	3
base-uri	<0.1%	62	3
object-src	<0.1%	53	1
sandbox	<0.1%	50	1
frame-src	<0.1%	37	1
report-uri	<0.1%	33	7
child-src	<0.1%	17	2
media-src	<0.1%	17	1
worker-src	<0.1%	14	1
manifest-src	<0.1%	10	1
plugin-types	<0.1%	10	1
report-to	<0.1%	9	1
prefetch-src	<0.1%	7	1
script-src	<0.1%	7	3
connect-src	<0.1%	6	3
style-src	<0.1%	3	2
trusted-types	<0.1%	3	1
form-action	<0.1%	2	2
img-src	<0.1%	2	1
referrer	<0.1%	2	1
script-src-attr	<0.1%	2	1
style-src-attr	<0.1%	2	1
font-src	<0.1%	1	1

Technologies that utilize the header

Vimeo, category Video Players, total 186,505 websites

AddThis, category Widgets, total 139,285 websites

PayPal, category Payment Processors, total 91,146 websites

Drift, category Live Chat, total 15,952 websites

Tealium, category Tag Managers, total 6,896 websites

Contentful, category Content Management System, total 3,678 websites

Afterpay, category Payment Processors, total 3,455 websites

Heap, category Analytics, total 3,042 websites

BazaarVoice, category Analytics, total 2,183 websites

Scene7, category Content Management System, total 756 websites

Content-Security-Policy detection in the top websites by popularity

List of websites that use Content-Security-Policy header

Domain	Country	Rank
www.facebook.com	Ireland	2
twitter.com	United States of America	3
instagram.com	United States of America	7
www.instagram.com	Ireland	7
www.linkedin.com	United States of America	9
plus.google.com	United States of America	12

See full domain list
Flat price per report, subscription is not required.

Header usage distribution by websites across the globe.

List of top common Content-Security-Policy header values

Header value	Value prevalence
frame-ancestors 'self'	17.75%
block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests;	13.34%
upgrade-insecure-requests	13.00%
upgrade-insecure-requests;	6.83%
default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'	1.62%
upgrade-insecure-requests; default-src https: data:; script-src https: data: 'unsafe-inline' 'unsafe-eval'; style-src https: blob: 'unsafe-inline';	1.21%
block-all-mixed-content	0.81%
frame-ancestors https://my.bigcartel.com;	0.63%
frame-ancestors 'self';	0.52%
block-all-mixed-content; frame-ancestors *; upgrade-insecure-requests;	0.51%
frame-ancestors 'self' websitebuilder.godaddy.com websitebuilder.secureserver.net	0.46%
frame-ancestors 'self' https://.granicus.com http://.granicus.com https://platform.civicplus.com https://account.civicplus.com https://analytics.civicplus.com; img-src * data:; worker-src * data: blob: 'unsafe-eval' 'unsafe-inline'; script-src * about:	0.42%
frame-ancestors 'none'	0.41%
script-src 'self'	0.39%
default-src https: data: 'unsafe-inline' 'unsafe-eval'	0.37%
frame-ancestors 'self' https://.webflow.com http://.webflow.com http://*.webflow.io http://webflow.com https://webflow.com	0.37%
frame-ancestors 'self' ;	0.34%
frame-ancestors 'self'; upgrade-insecure-requests	0.33%
frame-ancestors 'none';	0.31%
upgrade-insecure-requests; report-uri /__csp-collector/index	0.27%