X-WebKit-CSP

HTTP response header

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring which dynamic resources are allowed to load.

Header usage statistics

X-WebKit-CSP response header information and usage statistics.

Websites using header X-WebKit-CSP 5,423
Percentage of websites that use X-WebKit-CSP header <0.1%
Total discovered header values 1,113
Header uses directives No
Header values are unique or random No
Most popular in the country Germany

Distribution by websites popularity

X-WebKit-CSP detection in the top websites by popularity

Top 10k sites 8 websites
Top 100k sites 65 websites
Top 1m sites 732 websites

Websites utilizing X-WebKit-CSP

List of websites that use X-WebKit-CSP header

Domain Country Rank Contacts
www.surveymonkey.com United States of America 112
steemit.com United States of America 255
www.news.com.au United States of America 518
www.uber.com United States of America 981
www.nrdc.org United States of America 1,367
www.tepapa.govt.nz United States of America 6,047
See full domain list

Geographical Distribution

Header usage distribution by websites across the globe.






Common header values

List of top common X-WebKit-CSP header values

Header value Value prevalence
default-src ''self'' ;script-src ''self'' ''unsafe-inline'' ''unsafe-eval'';referrer no-referrer;style-src ''self'' ''unsafe-inline'' ;img-src ''self'' data: *.tile.openstreetmap.org;object-src ''none''; 21.87%
default-src ''self'' ''unsafe-inline'' 6.10%
default-src ''self'' 4.17%
default-src ''self''; script-src ''self'' ''unsafe-eval'' ''unsafe-inline''; style-src ''self'' ''unsafe-inline''; img-src ''self'' data:; connect-src ''self''; font-src ''self''; object-src ''self''; media-src ''self''; child-src ''self'' 3.87%
default-src ''self'' ;script-src ''self'' ''unsafe-inline'' ''unsafe-eval'';style-src ''self'' ''unsafe-inline'' ;referrer no-referrer;img-src ''self'' data: ; 3.60%
default-src ''self''; script-src ''self''; connect-src ''self''; img-src ''self'' data:; style-src ''self''; 3.32%
default-src ''self''; script-src ''self''; connect-src ''self''; img-src ''self'' data:; style-src ''self''; reflected-xss block; 2.30%
default-src ''self''; script-src ''self'' ''unsafe-eval'' ''unsafe-inline'' data: www.google-analytics.com js-agent.newrelic.com bam.nr-data.net *.twimg.com *.twitter.com *.swellbox.com; style-src ''self'' ''unsafe-inline'' *.typekit.net fonts.googleapis. 2.16%
default-src ''self'' ;script-src ''self'' ''unsafe-inline'' ''unsafe-eval'';style-src ''self'' ''unsafe-inline'' ;img-src ''self'' data: ; 1.88%
default-src ''self'' ;script-src ''self'' ''unsafe-inline'' ''unsafe-eval'';referrer no-referrer;style-src ''self'' ''unsafe-inline'' ;img-src ''self'' data: *.tile.openstreetmap.org; 1.68%
default-src ''self''; img-src ''self'' data:; script-src ''self'' ''unsafe-inline'' ''unsafe-eval''; style-src ''self'' ''unsafe-inline''; connect-src ''self'' wss:; 1.59%
frame-ancestors ''self'' 1.42%
script-src ''self'' ''unsafe-inline'' ''unsafe-eval'' https://crowdmap.com https://*.crowdmap.com https://*.typekit.com https://apis.google.com https://*.akamai.net https://*.gaug.es https://*.youtube.com https://*.ytimg.net https://*.googlevideo.com http 1.20%
default-src ''self'' ;script-src ''self'' ''unsafe-inline'' ''unsafe-eval'';style-src ''self'' ''unsafe-inline'' ;img-src ''self'' data: ; 1.20%
default-src ''self'' ;script-src ''self'' ''unsafe-inline'' ''unsafe-eval'';style-src ''self'' ''unsafe-inline'';img-src ''self'' data: ; 1.18%
default-src https: data: blob: ''unsafe-eval'' ''unsafe-inline'' https://www.google.com https://www.gstatic.com https://www.recaptcha.net wss://*.hotjar.com ''self''; upgrade-insecure-requests; frame-ancestors ''self'' https://*.zendesk.com https://*.mysh 1.03%
script-src ''self'' ''unsafe-inline'' ''unsafe-eval'' www.piwik.bayern.de; img-src ''self'' data: www.piwik.bayern.de; font-src ''self'' data: 0.94%
default-src ''self'' gstatic.gitbook.com *.gitbook-staging.com *.gitbook.com *.firebaseio.com wss://*.firebaseio.com *.cloudfunctions.net *.googleapis.com *.gstatic.com data: *.google.com *.github.com *.algolianet.com *.algolia.net sentry.io *.logrocket.i 0.79%
frame-ancestors scvr.co *.scvr.co 0.70%
default-src ''self''; base-uri ''self''; style-src ''self'' ''unsafe-inline''; connect-src ''self''; script-src ''self'' ''unsafe-inline'' ''unsafe-eval'' data: *.wsv.bund.de sg.geodatenzentrum.de; object-src ''self''; media-src ''self'' *.wsv.bund.de *. 0.66%