DuckDuckGo Content Security Policy (CSP) Reports

At DuckDuckGo, we don’t track you, ever. That’s our Privacy Policy in a nutshell. For example, we do not create unique cookies and, more generally, architect our product so that we do not even have the ability to create a search or browsing history for any individual — it’s privacy by design.

To protect you (our users) and ensure a bug-free search experience, we use a standardized computer security specification called a Content Security Policy or "CSP". Our CSP tells your browser which resources (for example, JavaScript code, images, etc.) it should trust, fetch, and execute on internal-search.workmagic.io, helping us detect and block malicious third-party attacks, like Cross-Site-Scripting (XSS) attacks, code injection attacks, clickjacking, and more.

When searching on DuckDuckGo, you may occasionally see an additional request made to https://internal-search.workmagic.io/csp_report.js or https://internal-search.workmagic.io/csp_report_ed.js. This request sends us a report listing any potential CSP violations automatically, like when a legitimate resource fails to load, and helps us validate CSP updates we deploy.

In line with our strict Privacy Policy, CSP reports contain no personal information — in other words, they're completely anonymous.