All-in-one free web application security tool. Web application vulnerability and privacy scanner with support for HTTP cookies, Flash, HTML5 localStorage, sessionStorage, CANVAS, Supercookies, Evercookies. Includes a free SSL/TLS, HTML and HTTP vulnerability scanner and URL malware scanner.

Websites setting Content-Security-Policy HTTP header
Website Content-Security-Policy header value
webcookies.org script-src https://webcookies-20c4.kxcdn.com https://cdnjs.cloudflare.com https://maxcdn.bootstrapcdn.com https://pagead2.googlesyndication.com https://connect.facebook.net https://*.google.com https://*.twitter.com https://*.linkedin.com https://webcookies.disqus.com https://*.disquscdn.com 'unsafe-inline' 'self'; img-src https://webcookies-20c4.kxcdn.com https://*.facebook.com https://*.twitter.com https://pagead2.googlesyndication.com https://*.disquscdn.com https://*.paypal.com https://online.swagger.io https://static.licdn.com https://*.gstatic.com https://www.linkedin.com https://referrer.disqus.com 'self'; object-src https://pagead2.googlesyndication.com; default-src 'none'; frame-src https://*.google.com https://*.facebook.com https://*.twitter.com https://*.doubleclick.net https://platform.linkedin.com https://disqus.com; upgrade-insecure-requests ; style-src https://maxcdn.bootstrapcdn.com https://webcookies-20c4.kxcdn.com https://fonts.googleapis.com https://*.disquscdn.com https://cdnjs.cloudflare.com 'unsafe-inline'; media-src 'none'; child-src 'none'; referrer unsafe-url; reflected-xss block; connect-src https://pagead2.googlesyndication.com https://links.services.disqus.com 'self'; font-src https://maxcdn.bootstrapcdn.com https://webcookies-20c4.kxcdn.com https://fonts.googleapis.com https://fonts.gstatic.com; form-action 'self' https://*.paypal.com; frame-ancestors 'none';
web.whatsapp.com default-src 'self'; report-uri https://dyn.web.whatsapp.com/cspv; script-src 'self' 'unsafe-eval' https://ajax.googleapis.com; connect-src 'self' wss://*.web.whatsapp.com https://*.whatsapp.net https://dyn.web.whatsapp.com https://*.giphy.com https://*.tenor.co blob: https://crashlogs.whatsapp.net/wa_clb_data https://crashlogs.whatsapp.net/wa_fls_upload_check; img-src * data: blob:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com; media-src 'self' https://*.whatsapp.net https://*.giphy.com https://*.tenor.co blob: mediastream:; child-src 'self' blob:
webhost1.ru script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://bp.webhost1.ru https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://ajax.googleapis.com https://code.jquery.com https://api-maps.yandex.ru mc.yandex.ru https://www.google-analytics.com https://www.google.com https://www.gstatic.com
webhost1.ru script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://bp.webhost1.ru https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://ajax.googleapis.com https://code.jquery.com https://api-maps.yandex.ru mc.yandex.ru https://www.google-analytics.com https://www.google.com https://www.gstatic.com
douban.fm media-src 'self' *
douban.fm media-src 'self' *
profesdach.eu default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;;style-src 'self' 'unsafe-inline' ;img-src 'self' data: ;
mastercard.com.au frame-ancestors 'self'
gaymaletube.com default-src 'self'; script-src 'self' www.google-analytics.com; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' assetfiles.com *.pbwstatic.com www.google-analytics.com; media-src 'none'; frame-src 'none'
snapnames.com "frame-ancestors 'self'"
snapnames.com "frame-ancestors 'self'"
sulit.com.ph frame-ancestors 'self' app.optimizely.com *.optimizely.com *.optimizelyedit.com;
sulit.com.ph frame-ancestors 'self' app.optimizely.com *.optimizely.com *.optimizelyedit.com;
aztecaporno.com default-src 'self'; script-src 'self' www.google-analytics.com; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' assetfiles.com *.pbwstatic.com www.google-analytics.com; media-src 'none'; frame-src 'none'
patriotfcu.test-financialhost.org connect-src 'self' wss://patriotfcu.test-financialhost.org
kp.ru default-src https: data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src wss: https:; report-uri https://xshl.org/security/reporting/
www.kidsanddragons.co.il block-all-mixed-content; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=00c7cd1c-e2f3-4adc-94e6-cdaae2097c71
www.kidsanddragons.co.il block-all-mixed-content; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=8f14483c-f1e9-4a7e-bfb0-7ac1edc30efe
berniaga.com frame-ancestors 'self' app.optimizely.com *.optimizely.com *.optimizelyedit.com;
exist.ru default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.googleapis.com site.yandex.net yandex.st static-trackers.adtarget.me apis.google.com code.createjs.com www.gstatic.com www.google.com ssl.gstatic.com *.bemobile.ua *.onthe.io *.bigmir.net www.googletagmanager.com *.facebook.net *.doubleclick.net www.googleadservices.com vk.com *.c8.net.ua st.top100.ru www.google-analytics.com *.yandex.ru *.adfox.ru *.exist.ru; img-src * 'unsafe-inline' data:; font-src * 'unsafe-inline'; connect-src * 'self' 'unsafe-inline' 'unsafe-eval'; frame-src 'self' files.exist.ru lubadvisor.total-russia.ru yandex.ru www.facebook.com staticxx.facebook.com b.c8.net.ua vk.com www.google.com api-maps.yandex.ru www.elcats.ru www.japancats.ru;
exist.ru default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.googleapis.com site.yandex.net yandex.st static-trackers.adtarget.me apis.google.com code.createjs.com www.gstatic.com www.google.com ssl.gstatic.com *.bemobile.ua *.onthe.io *.bigmir.net www.googletagmanager.com *.facebook.net *.doubleclick.net www.googleadservices.com vk.com *.c8.net.ua st.top100.ru www.google-analytics.com *.yandex.ru *.adfox.ru *.exist.ru; img-src * 'unsafe-inline' data:; font-src * 'unsafe-inline'; connect-src * 'self' 'unsafe-inline' 'unsafe-eval'; frame-src 'self' files.exist.ru lubadvisor.total-russia.ru yandex.ru www.facebook.com staticxx.facebook.com b.c8.net.ua vk.com www.google.com api-maps.yandex.ru www.elcats.ru www.japancats.ru;
coastalscents.com block-all-mixed-content; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=3e7eed29-80d9-45ee-94f8-bc85d48ebae1
coastalscents.com block-all-mixed-content; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a4a922c5-d2a3-4f6c-8ce2-8905010c44db
mixcloud.com default-src https: data:; script-src https: data: 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src https: data: blob:; media-src https: http: blob: data:; connect-src http: https: ws: wss:;
mixcloud.com default-src https: data:; script-src https: data: 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src https: data: blob:; media-src https: http: blob: data:; connect-src http: https: ws: wss:;
Page 1 of 117