The Rationale Behind Selecting CSP
Incident reporting primarily focuses on stolen credentials and unpatched software. However, Cross-Site Scripting (XSS) has remained in the OWASP Top 10 for over a decade. This is because it does not require compromising underlying infrastructure — it only requires a client’s browser to execute a script unintended by the application.
The exploitation mechanism relies on injecting scripts through unsanitized inputs (comment fields, search parameters, query strings, etc.). Unfiltered, these scripts execute in subsequent users’ browsers, accessing exposed data such as session tokens, payment forms, user submissions, etc.
CSP serves as the primary browser-enforced defense against this attack class, neutralizing injected payloads by restricting script execution exclusively to explicitly declared sources. We selected CSP as the focal metric for this study because it directly addresses script execution control with a highly favorable cost-to-benefit ratio. This asymmetry—broad protection against a persistent threat via straightforward configuration rather than costly infrastructure investment—makes the observed adoption gap a critical indicator of actual security posture rather than a mere compliance checkbox.
Methodology and Scope
We wanted a number that was not filtered through vendor marketing or a company’s own claims about its security posture — just what a browser sees when it loads the page.
Target Selection and Dataset
We focused on the .com.ua zone rather than the national .ua domain. This distinction is critical: Ukraine’s registrar only issues .ua domains to holders of a matching registered trademark, effectively excluding most newly formed or small businesses. The .com.ua zone has no such requirement, providing a much better proxy for how an ordinary Ukrainian SME actually looks on the web.
Candidate domains were sourced from public Certificate Transparency logs. From an initial extraction of 150 .com.ua domains, we filtered out unreachable hosts and those redirecting to external targets, resulting in a final dataset of 83 active, independently operated business websites.
Defining CSP Adoption
We established a deliberately low baseline: a site was counted as adopting CSP if the header was present in its HTTP response, regardless of whether the policy itself was strict or riddled with insecure wildcards.
Consequently, the 12% adoption rate represents a ceiling on real protection, not a floor. Assessing the actual security value and configuration quality of these implemented policies remains an open question for future research.