As Veracode published their analysis of security headers on top 1m websites, I realized that I can actually compare their results with mine. Veracode analysis (Security Headers on the Top 1,000,000 Websites: March 2014 Report) is valuable because it shows how websites are really using relatively new HTTP security features in production.
|Content-Security-Policy||0.05%||0.1% </table> As you can see, both result sets are quite similar. I'm not really surprised that so few sites use Content-Security-Policy, as it's quite difficult to set up on existing websites and not really easy even on a brand new website. On the other hand, if you look what high profile websites are actually targeted by attackers (such as Google or FB, most of them do use both STS and CSP. It's just the effort of setting up these is outweighted by the increase in security for their users. My numbers came from a quick database lookup, but the data set is open to anyone who would like to perform any deeper analysis — just contact me on G+.|