X-Content-Security-Policy

HTTP response header

It controls what domains subdomains and types of resources a browser is allowed to load on a given web page.

Header usage statistics

X-Content-Security-Policy response header information and usage statistics.

Websites using header X-Content-Security-Policy 84,882
Percentage of websites that use X-Content-Security-Policy header <0.1%
Total discovered header values 9,507
Header uses directives No
Header values are unique or random No
Most popular in the country United States of America

X-Content-Security-Policy Often Used Together:

Distribution by websites popularity

X-Content-Security-Policy detection in the top websites by popularity

Top 10k sites 116 websites
Top 100k sites 626 websites
Top 1m sites 3,348 websites

Websites utilizing X-Content-Security-Policy

List of websites that use X-Content-Security-Policy header

Domain Country Rank Contacts
bfdi.bund.de Germany 245
www.bfdi.bund.de Germany 245
www.dropbox.com United States of America 260
www.npmjs.com United States of America 349
www.w3schools.com United States of America 734
news.gandi.net United States of America 820
See full domain list
Flat price per the report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.






Common header values

List of top common X-Content-Security-Policy header values

Header value Value prevalence
default-src 'self' 'unsafe-inline' 13.47%
allow 'self'; 7.18%
default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; 6.59%
default-src 'self' ;options inline-script eval-script;referrer no-referrer;img-src 'self' data: *.tile.openstreetmap.org;object-src 'none'; 5.17%
default-src *; script-src * 'unsafe-inline' 'unsafe-eval'; object-src *; style-src * 'unsafe-inline'; img-src * data:; media-src *; frame-src *; font-src * data:; connect-src * 4.95%
default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; reflected-xss block; 3.28%
default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'self'; media-src 'self'; child-src 'self' 3.22%
frame-ancestors 'self' 2.35%
default-src 'self' ;options inline-script eval-script;referrer no-referrer;img-src 'self' data: ; 2.09%
frame-ancestors * 1.56%
default-src 'self' 1.50%
frame-ancestors https://uscreen.io https://*.uscreen.io https://www.uscreen.tv 1.49%
default-src 'self' ;options inline-script eval-script;referrer no-referrer;img-src 'self' data: *.tile.openstreetmap.org; 1.22%
default-src 'self' ;options inline-script eval-script;img-src 'self' data: ; 1.14%
script-src 'self' 'unsafe-inline' 'unsafe-eval' ; img-src 'self' data: ; object-src 'self' data: ; frame-src 'self' data: ; 1.00%
default-src 'self' 'unsafe-inline'; 0.99%
default-src 'self' ;options inline-script eval-script;img-src 'self' data: ; 0.78%
default-src 'self'; 0.74%
default-src *.ethicspoint.com *.ethicspointvp.com *.navexone.com *.navexglobal.com ethicspointvp.com cdn.pendo.io 'self' 'unsafe-eval' 'unsafe-inline' *.navexglobal.com; connect-src *.ethicspoint.com *.ethicspointvp.com *.navexone.com *.navexglobal.com et 0.73%
default-src 'self' gstatic.gitbook.com *.gitbook-staging.com *.gitbook.com *.firebaseio.com wss://*.firebaseio.com *.cloudfunctions.net *.googleapis.com *.gstatic.com data: *.google.com *.github.com *.algolianet.com *.algolia.net sentry.io *.logrocket.io 0.64%