CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website
| Websites using header Content-Security-Policy | 586,493 |
| Percentage of websites that use Content-Security-Policy header | 5.13% |
| Total discovered header values | 114,147 |
| Header uses directives | Yes |
| Header values are unique or random | No |
| Most popular in the country | 
United States of America
|
| Directive | Share | Websites count | Unique Values |
|---|---|---|---|
| upgrade-insecure-requests | 15.76% | 92,452 | 48 |
| block-all-mixed-content | 1.53% | 8,955 | 35 |
| frame-ancestors | <0.1% | 150 | 1 |
| sandbox | <0.1% | 47 | 1 |
| base-uri | <0.1% | 44 | 1 |
| default-src | <0.1% | 29 | 5 |
| frame-src | <0.1% | 28 | 1 |
| object-src | <0.1% | 27 | 2 |
| report-uri | <0.1% | 19 | 4 |
| worker-src | <0.1% | 11 | 1 |
| report-to | <0.1% | 11 | 1 |
| manifest-src | <0.1% | 9 | 1 |
| media-src | <0.1% | 8 | 1 |
| script-src | <0.1% | 7 | 2 |
| plugin-types | <0.1% | 7 | 1 |
| child-src | <0.1% | 6 | 2 |
| connect-src | <0.1% | 4 | 2 |
| prefetch-src | <0.1% | 4 | 1 |
| form-action | <0.1% | 3 | 3 |
| script-src-attr | <0.1% | 2 | 1 |
| style-src-attr | <0.1% | 2 | 1 |
| style-src | <0.1% | 1 | 1 |
| img-src | <0.1% | 1 | 1 |
| trusted-types | <0.1% | 1 | 1 |
| require-trusted-types-for | <0.1% | 1 | 1 |
| Top 10k sites | 1,538 websites |
| Top 100k sites | 8,050 websites |
| Top 1m sites | 55,157 websites |
| Domain | Country | Rank | Contacts |
|---|---|---|---|
|
|
United States of America
|
3 | |
|
|
United States of America
|
7 | |
|
|
Ireland
|
7 | |
|
|
United States of America
|
12 | |
|
|
United States of America
|
13 | |
|
|
United States of America
|
30,270 |
| Header value | Value prevalence |
|---|---|
| frame-ancestors ''self'' | 20.26% |
| block-all-mixed-content; frame-ancestors ''none''; upgrade-insecure-requests; | 15.64% |
| upgrade-insecure-requests | 13.80% |
| upgrade-insecure-requests; | 7.80% |
| default-src ''none''; style-src ''unsafe-inline''; img-src data:; connect-src ''self'' | 1.97% |
| frame-ancestors ''none''; | 1.04% |
| block-all-mixed-content | 0.96% |
| frame-ancestors ''self'' websitebuilder.godaddy.com websitebuilder.secureserver.net | 0.93% |
| object-src ''none''; base-uri ''self''; frame-src player.vimeo.com w.soundcloud.com www.slideshare.net www.youtube.com bandcamp.com sketchfab.com *.google.com *.facebook.com *.facebook.net *.twitter.com social-plugins.line.me *.g.doubleclick.net www.googl | 0.82% |
| frame-ancestors https://my.bigcartel.com; | 0.78% |
| block-all-mixed-content; frame-ancestors *; upgrade-insecure-requests; | 0.64% |
| frame-ancestors ''self''; | 0.59% |
| frame-ancestors ''self'' https://*.granicus.com http://*.granicus.com https://platform.civicplus.com https://account.civicplus.com https://analytics.civicplus.com; img-src * data:; worker-src * data: blob: ''unsafe-eval'' ''unsafe-inline''; script-src * a | 0.53% |
| frame-ancestors ''self'' https://*.webflow.com http://*.webflow.com http://*.webflow.io http://webflow.com https://webflow.com | 0.51% |
| script-src ''self'' | 0.48% |
| default-src https: data: ''unsafe-inline'' ''unsafe-eval'' | 0.45% |
| frame-ancestors ''none'' | 0.41% |
| frame-ancestors ''self''; upgrade-insecure-requests | 0.40% |
| upgrade-insecure-requests; report-uri /__csp-collector/index | 0.35% |
| sandbox allow-scripts; default-src ''self''; img-src https:; style-src ''unsafe-inline''; script-src ''unsafe-inline''; report-uri http://csp.yahoo.com/beacon/csp?src=redirect | 0.33% |