Content-Security-Policy

HTTP response header

CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website

Header usage statistics

Content-Security-Policy response header information and usage statistics.

Websites using header Content-Security-Policy 586,493
Percentage of websites that use Content-Security-Policy header 5.13%
Total discovered header values 114,147
Header uses directives Yes
Header values are unique or random No
Most popular in the country United States of America

Content-Security-Policy Directives (26 total)

  • base-uri
  • block-all-mixed-content
  • frame-ancestors
  • frame-src
  • upgrade-insecure-requests
  • worker-src
  • sandbox
  • default-src
  • report-uri
  • font-src
  • manifest-src
  • object-src
  • script-src
  • style-src
  • form-action
  • media-src
  • plugin-types
  • script-src-attr
  • connect-src
  • img-src
  • report-to
  • child-src
  • prefetch-src
  • style-src-attr
  • trusted-types
  • require-trusted-types-for

Content-Security-Policy Directives

Content-Security-Policy directives value information and usage statistics

Directive Share Websites count Unique Values
upgrade-insecure-requests 15.76% 92,452 48
block-all-mixed-content 1.53% 8,955 35
frame-ancestors <0.1% 150 1
sandbox <0.1% 47 1
base-uri <0.1% 44 1
default-src <0.1% 29 5
frame-src <0.1% 28 1
object-src <0.1% 27 2
report-uri <0.1% 19 4
worker-src <0.1% 11 1
report-to <0.1% 11 1
manifest-src <0.1% 9 1
media-src <0.1% 8 1
script-src <0.1% 7 2
plugin-types <0.1% 7 1
child-src <0.1% 6 2
connect-src <0.1% 4 2
prefetch-src <0.1% 4 1
form-action <0.1% 3 3
script-src-attr <0.1% 2 1
style-src-attr <0.1% 2 1
style-src <0.1% 1 1
img-src <0.1% 1 1
trusted-types <0.1% 1 1
require-trusted-types-for <0.1% 1 1

Distribution by websites popularity

Content-Security-Policy detection in the top websites by popularity

Top 10k sites 1,538 websites
Top 100k sites 8,050 websites
Top 1m sites 55,157 websites

Websites utilizing Content-Security-Policy

List of websites that use Content-Security-Policy header

Domain Country Rank Contacts
twitter.com United States of America 3
instagram.com United States of America 7
www.instagram.com Ireland 7
plus.google.com United States of America 12
www.pinterest.com United States of America 13
www.linkedin.com United States of America 30,270
See full domain list

Geographical Distribution

Header usage distribution by websites across the globe.






Common header values

List of top common Content-Security-Policy header values

Header value Value prevalence
frame-ancestors ''self'' 20.26%
block-all-mixed-content; frame-ancestors ''none''; upgrade-insecure-requests; 15.64%
upgrade-insecure-requests 13.80%
upgrade-insecure-requests; 7.80%
default-src ''none''; style-src ''unsafe-inline''; img-src data:; connect-src ''self'' 1.97%
frame-ancestors ''none''; 1.04%
block-all-mixed-content 0.96%
frame-ancestors ''self'' websitebuilder.godaddy.com websitebuilder.secureserver.net 0.93%
object-src ''none''; base-uri ''self''; frame-src player.vimeo.com w.soundcloud.com www.slideshare.net www.youtube.com bandcamp.com sketchfab.com *.google.com *.facebook.com *.facebook.net *.twitter.com social-plugins.line.me *.g.doubleclick.net www.googl 0.82%
frame-ancestors https://my.bigcartel.com; 0.78%
block-all-mixed-content; frame-ancestors *; upgrade-insecure-requests; 0.64%
frame-ancestors ''self''; 0.59%
frame-ancestors ''self'' https://*.granicus.com http://*.granicus.com https://platform.civicplus.com https://account.civicplus.com https://analytics.civicplus.com; img-src * data:; worker-src * data: blob: ''unsafe-eval'' ''unsafe-inline''; script-src * a 0.53%
frame-ancestors ''self'' https://*.webflow.com http://*.webflow.com http://*.webflow.io http://webflow.com https://webflow.com 0.51%
script-src ''self'' 0.48%
default-src https: data: ''unsafe-inline'' ''unsafe-eval'' 0.45%
frame-ancestors ''none'' 0.41%
frame-ancestors ''self''; upgrade-insecure-requests 0.40%
upgrade-insecure-requests; report-uri /__csp-collector/index 0.35%
sandbox allow-scripts; default-src ''self''; img-src https:; style-src ''unsafe-inline''; script-src ''unsafe-inline''; report-uri http://csp.yahoo.com/beacon/csp?src=redirect 0.33%