X-Content-Security-Policy-Report-Only

HTTP response header

Header usage statistics

X-Content-Security-Policy-Report-Only response header information and usage statistics.

Websites using header X-Content-Security-Policy-Report-Only 264
Percentage of websites that use X-Content-Security-Policy-Report-Only header <0.1%
Total discovered header values 114
Header uses directives No
Header values are unique or random No
Most popular in the country United States of America

Distribution by websites popularity

X-Content-Security-Policy-Report-Only detection in the top websites by popularity

Top 10k sites 5 websites
Top 100k sites 9 websites
Top 1m sites 66 websites

Websites utilizing X-Content-Security-Policy-Report-Only

List of websites that use X-Content-Security-Policy-Report-Only header

Domain Country Rank Contacts
www.behance.net United States of America 81
www.surveymonkey.com United States of America 112
www.qualcomm.com United States of America 1,901
moxa.com United States of America 6,083
www.bodybuilding.com United States of America 6,144
pt.surveymonkey.com United States of America 10,910
See full domain list
Flat price per report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.






Common header values

List of top common X-Content-Security-Policy-Report-Only header values

Header value Value prevalence
default-src https: data: blob: 'unsafe-eval' 'unsafe-inline' https://www.google.com https://www.gstatic.com https://www.recaptcha.net wss://*.hotjar.com 'self'; frame-ancestors 'self' https://*.zendesk.com https://*.myshopify.com https://teams.microsoft. 24.62%
default-src 'self' https: 'unsafe-inline' 'unsafe-eval'; report-uri content.php?action=150&module=core&handler=ContentSecurityPolicyHandler&mode=reportCspViolation; report-to content.php?action=150&module=core&handler=ContentSecurityPolicyHandler&mode=rep 14.02%
report-uri /report-csp-violation 2.27%
default-src 'self'; block-all-mixed-content; connect-src 'self' wss://de20.zopim.com csi.gstatic.com maps.gstatic.com korrelatie.zendesk.com wss://widget-mediator.zopim.com ekr.zdassets.com veiligthuis.zendesk.com; font-src 'self' fonts.gstatic.com v2.zop 1.89%
script-src 'self' https: 'unsafe-inline' 1.89%
default-src 'self';img-src * data:;style-src 'self';font-src 'self';script-src 'self';connect-src 'self';frame-src 'self';child-src 'self';form-action 'self';block-all-mixed-content; report-uri https://bbcsp.report-uri.io/r/default/csp/reportOnly 1.52%
default-src 'self'; report-uri /admin/config/system/seckit/csp-report 1.52%
default-src 'none'; connect-src 'self' *.googleapis.com syndication.twitter.com www.google.com id.siteimprove.com app.trackduck.com my2.siteimprove.com cdnjs.cloudflare.com www.google-analytics.com stats.g.doubleclick.net svc.webspellchecker.net login.mic 1.52%
default-src 'self' https://static.eole-web.fr http://static.eole-web.fr; script-src 'self' 'unsafe-eval' data: http://cdn.ckeditor.com https://cdn.ckeditor.com http://connect.facebook.net https://connect.facebook.net https://platform.twitter.com http://pl 1.14%
default-src https: 'unsafe-inline' 'unsafe-eval' data: about:; report-uri /_resources/php/csp-report.php 1.14%
default-src 'self' https://*.tv1.eu http://*.tv1.eu 1.14%
default-src * 1.14%
default-src 'self' 'unsafe-inline' ;script-src data: 'self' 'unsafe-inline' 'unsafe-eval' static.cloud.coveo.com *.r42tag.com *.usabilla.com ssl.google-analytics.com www.google-analytics.com www.googleadservices.com tags.nmrc.nl *.onmarc.nl *.doubleclick. 1.14%
default-src 'self';img-src * data:;style-src 'self' 'unsafe-inline';font-src 'self';script-src 'self' 'unsafe-inline';connect-src 'self';frame-src 'self';child-src 'self';form-action 'self';block-all-mixed-content; report-uri https://bbcsp.report-uri.io/r 0.76%
block-all-mixed-content; report-uri https://csp-reports.pravmir.ru/https-mixed-content-logger/csp_report_log.php; 0.76%
block-all-mixed-content; report-uri https://www.matrony.ru/https-mixed-content-logger/csp_report_log.php; 0.76%
default-src 'none'; connect-src 'self' www.google.com https://cdncache-a.akamaihd.net wss wss://generatorhostels.com ws1.hotjar.com ws2.hotjar.com ws3.hotjar.com ws4.hotjar.com ws5.hotjar.com graylog.hotjar.com cdnjs.cloudflare.com ajax.googleapis.com www 0.76%
default-src 'self' *.nasa.gov; script-src 'self' 'unsafe-inline' 'unsafe-eval' s.ytimg.com *.googletagmanager.com *.earthdata.nasa.gov script.crazyegg.com *.google-analytics.com s3.amazonaws.com *.youtube.com cdn.datatables.net svc.webspellchecker.net *.f 0.76%
default-src 'self' ; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://cdn.optimizely.com https://static.ads-twitter.com www.google-analytics.com www.gstatic.com https://analytics.twitter.com https://ssl.google-anal 0.76%
default-src 'self' ; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://googleads.g.doubleclick.net http://m.addthis.com http://m.addthisedge.com http://s7.addthis.com https://www.google-analytics.com http://www.googleadservices.com https://www 0.76%