HTTP response header

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring which dynamic resources are allowed to load.

Header usage statistics

X-WebKit-CSP response header information and usage statistics.

Websites using header X-WebKit-CSP 4,819
Percentage of websites that use X-WebKit-CSP header <0.1%
Total discovered header values 1,143
Header uses directives No
Header values are unique or random No
Most popular in the country United States of America

Distribution by websites popularity

X-WebKit-CSP detection in the top websites by popularity

Top 10k sites 16 websites
Top 100k sites 71 websites
Top 1m sites 715 websites

Websites utilizing X-WebKit-CSP

List of websites that use X-WebKit-CSP header

Domain Country Rank Contacts
www.surveymonkey.com United States of America 112
steemit.com United States of America 255
www.kraken.com United States of America 358
www.news.com.au United States of America 518
www.timeout.com United States of America 1,216
www.nrdc.org United States of America 1,367
See full domain list
Flat price per report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.

Common header values

List of top common X-WebKit-CSP header values

Header value Value prevalence
default-src 'self' 'unsafe-inline' 12.99%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org;object-src 'none'; 7.41%
default-src 'self' 4.73%
default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'self'; media-src 'self'; child-src 'self' 4.46%
default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; 3.94%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' ;referrer no-referrer;img-src 'self' data: ; 3.30%
default-src 'self'; script-src 'self' 'unsafe-eval' www.google-analytics.com js-agent.newrelic.com bam.nr-data.net *.twimg.com *.twitter.com; style-src 'self' 'unsafe-inline' *.typekit.net fonts.googleapis.com platform.twitter.com *.twimg.com; img-src 'se 2.80%
default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; reflected-xss block; 1.95%
script-src 'self' 'unsafe-inline' 'unsafe-eval' www.piwik.bayern.de; img-src 'self' data: www.piwik.bayern.de; font-src 'self' data: 1.83%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' ;img-src 'self' data: ; 1.81%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org; 1.62%
default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:; 1.54%
frame-ancestors 'self' 1.47%
default-src https: data: blob: 'unsafe-eval' 'unsafe-inline' https://www.google.com https://www.gstatic.com https://www.recaptcha.net wss://*.hotjar.com 'self'; upgrade-insecure-requests; frame-ancestors 'self' https://*.zendesk.com https://*.myshopify.co 1.18%
default-src 'self' gstatic.gitbook.com *.gitbook-staging.com *.gitbook.com *.firebaseio.com wss://*.firebaseio.com *.cloudfunctions.net *.googleapis.com *.gstatic.com data: *.google.com *.github.com *.algolianet.com *.algolia.net sentry.io *.logrocket.io 1.10%
report-uri /report-csp-violation 0.98%
frame-ancestors scvr.co *.scvr.co 0.95%
default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline' *.geodatenzentrum.de; connect-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.wsv.bund.de *.geodatenzentrum.de; object-src 'self'; media-src 'self' *.wsv.bund.de *. 0.87%
script-src 'self' 'unsafe-inline' 'unsafe-eval' 0.62%
default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' https: data:; 0.60%