CSP Adoption Among Ukrainian SME Websites: 12% in March 2025

We analyzed the HTTP response headers of Ukrainian small and medium-sized enterprise (SME) websites for Content-Security-Policy (CSP)—a browser-enforced control against cross-site scripting. Our findings revealed that 88% of the evaluated sites lacked the CSP header.
Ruslan Podgornyi & Sergei Bondarenko
Cyber Defense Unbiased Analysis
DOI: 10.5281/zenodo.21301048

The Rationale Behind Selecting CSP

Incident reporting primarily focuses on stolen credentials and unpatched software. However, Cross-Site Scripting (XSS) has remained in the OWASP Top 10 for over a decade. This is because it does not require compromising underlying infrastructure — it only requires a client’s browser to execute a script unintended by the application.

The exploitation mechanism relies on injecting scripts through unsanitized inputs (comment fields, search parameters, query strings, etc.). Unfiltered, these scripts execute in subsequent users’ browsers, accessing exposed data such as session tokens, payment forms, user submissions, etc.

CSP serves as the primary browser-enforced defense against this attack class, neutralizing injected payloads by restricting script execution exclusively to explicitly declared sources. We selected CSP as the focal metric for this study because it directly addresses script execution control with a highly favorable cost-to-benefit ratio. This asymmetry—broad protection against a persistent threat via straightforward configuration rather than costly infrastructure investment—makes the observed adoption gap a critical indicator of actual security posture rather than a mere compliance checkbox.

Methodology and Scope

We wanted a number that was not filtered through vendor marketing or a company’s own claims about its security posture — just what a browser sees when it loads the page.

Target Selection and Dataset

We focused on the .com.ua zone rather than the national .ua domain. This distinction is critical: Ukraine’s registrar only issues .ua domains to holders of a matching registered trademark, effectively excluding most newly formed or small businesses. The .com.ua zone has no such requirement, providing a much better proxy for how an ordinary Ukrainian SME actually looks on the web.

Initial Extraction
Certificate Transparency logs (.com.ua)
150
Filtered Out
Unreachable & external redirects
-67
Final Dataset
Active, independently operated SMEs
83

Candidate domains were sourced from public Certificate Transparency logs. From an initial extraction of 150 .com.ua domains, we filtered out unreachable hosts and those redirecting to external targets, resulting in a final dataset of 83 active, independently operated business websites.

Defining CSP Adoption

We established a deliberately low baseline: a site was counted as adopting CSP if the header was present in its HTTP response, regardless of whether the policy itself was strict or riddled with insecure wildcards.

Consequently, the 12% adoption rate represents a ceiling on real protection, not a floor. Assessing the actual security value and configuration quality of these implemented policies remains an open question for future research.