HTTP response header

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring which dynamic resources are allowed to load.

Header usage statistics

X-Webkit-CSP response header information and usage statistics.

Websites using header X-Webkit-CSP 26,383
Percentage of websites that use X-Webkit-CSP header <0.1%
Total discovered header values 2,238
Header uses directives No
Header values are unique or random No
Most popular in the country Germany

Distribution by websites popularity

X-Webkit-CSP detection in the top websites by popularity

Top 10k sites 16 websites
Top 100k sites 65 websites
Top 1m sites 677 websites

Websites utilizing X-Webkit-CSP

List of websites that use X-Webkit-CSP header

Domain Country Rank Contacts
steemit.com United States of America 255
www.kraken.com United States of America 358
www.news.com.au United States of America 518
www.timeout.com United States of America 1,216
www.nrdc.org United States of America 1,367
www.dhl.com United States of America 1,551
See full domain list
Flat price per the report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.

Common header values

List of top common X-Webkit-CSP header values

Header value Value prevalence
default-src 'self' 'unsafe-inline' 26.76%
default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; 12.32%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org;object-src 'none'; 8.25%
default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; reflected-xss block; 5.65%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' ;referrer no-referrer;img-src 'self' data: ; 4.53%
default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'self'; media-src 'self'; child-src 'self' 4.34%
default-src 'self' 3.48%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' ;img-src 'self' data: ; 2.06%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org; 1.92%
script-src 'self' 'unsafe-inline' 'unsafe-eval' w.estat.com *.moatads.com *.captcha.com *.vimeo.com fresnel.vimeocdn.com www.youtube.com *.doubleclick.net www.google-analytics.com ajax.googleapis.com maps.googleapis.com www.googletagmanager.com s7.addthi 1.24%
default-src *; script-src * 'unsafe-inline' 'unsafe-eval'; object-src *; style-src * 'unsafe-inline'; img-src * data:; media-src *; frame-src *; font-src * data:; connect-src * 0.95%
default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:; 0.95%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org *.tile.opencyclemap.org; 0.82%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data: ; 0.75%
default-src 'self' gstatic.gitbook.com *.gitbook-staging.com *.gitbook.com *.firebaseio.com wss://*.firebaseio.com *.cloudfunctions.net *.googleapis.com *.gstatic.com data: *.google.com *.github.com *.algolianet.com *.algolia.net sentry.io *.logrocket.io 0.67%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: ; 0.64%
default-src 'self'; script-src 'self' 'unsafe-eval' www.google-analytics.com js-agent.newrelic.com bam.nr-data.net *.twimg.com *.twitter.com; style-src 'self' 'unsafe-inline' *.typekit.net fonts.googleapis.com platform.twitter.com *.twimg.com; img-src 'se 0.52%
frame-ancestors 'self' 0.47%
frame-ancestors *.pic-time.com *.facebook.com 0.45%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' ;img-src 'self' data: ; 0.42%