HTTP response header

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring which dynamic resources are allowed to load.

Header usage statistics

X-WebKit-CSP response header information and usage statistics.

Websites using header X-WebKit-CSP 50,414
Percentage of websites that use X-WebKit-CSP header <0.1%
Total discovered header values 4,076
Header uses directives No
Header values are unique or random No
Most popular in the country Germany

Distribution by websites popularity

X-WebKit-CSP detection in the top websites by popularity

Top 10k sites 43 websites
Top 100k sites 257 websites
Top 1m sites 1,569 websites

Websites utilizing X-WebKit-CSP

List of websites that use X-WebKit-CSP header

Domain Country Rank Contacts
bfdi.bund.de Germany 245
www.bfdi.bund.de Germany 245
news.gandi.net United States of America 820
www.mrdomain.com Spain 1,440
www.rki.de United States of America 1,864
www.dhl.com United States of America 2,757
See full domain list
Flat price per the report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.

Common header values

List of top common X-WebKit-CSP header values

Header value Value prevalence
default-src 'self' 'unsafe-inline' 22.32%
default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; 11.12%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org;object-src 'none'; 8.72%
default-src *; script-src * 'unsafe-inline' 'unsafe-eval'; object-src *; style-src * 'unsafe-inline'; img-src * data:; media-src *; frame-src *; font-src * data:; connect-src * 8.35%
default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; reflected-xss block; 5.48%
default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'self'; media-src 'self'; child-src 'self' 5.45%
default-src 'self' 3.55%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' ;referrer no-referrer;img-src 'self' data: ; 3.27%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org; 2.05%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' ;img-src 'self' data: ; 1.15%
default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:; 1.08%
default-src 'self' gstatic.gitbook.com *.gitbook-staging.com *.gitbook.com *.firebaseio.com wss://*.firebaseio.com *.cloudfunctions.net *.googleapis.com *.gstatic.com data: *.google.com *.github.com *.algolianet.com *.algolia.net sentry.io *.logrocket.io 1.05%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data: ; 0.94%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: ; 0.78%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org *.tile.opencyclemap.org; 0.72%
allow 'self'; 0.71%
frame-ancestors 'self' 0.56%
default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' ;img-src 'self' data: ; 0.41%
default-src 'self' www.google-analytics.com; script-src 'self' 'unsafe-inline' connect.facebook.net static.tacdn.com www.tripadvisor.fr www.tripadvisor.com www.jscache.com assets.pinterest.com log.pinterest.com ajax.googleapis.com platform.twitter.com api 0.40%
default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; media-src 'self'; form-action 'self'; child-src 'self'; frame-ancestors 'self'; connect-src 'none'; report-uri 'self'; report-to 'self'; 0.39%