HTTP Headers Analysis for https://careers.shopware.com

HTTP Security Headers

Status

Strict-Transport-Security

Excellent

max-age=63072000; includeSubDomains; preload

Content-Security-Policy

Basic

default-src; base-uri; object-src; +13 more

default-src 'self'; base-uri 'self'; object-src 'none'; upgrade-insecure-requests; form-action 'self' https://*.hsforms.com https://*.hubspot.com; frame-ancestors 'self' https://*.vwo.com https://*.visualwebsiteoptimizer.com https://*.hubspot.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://www.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com https://dev.visualwebsiteoptimizer.com https://js.hs-scripts.com https://js.hsforms.net https://js.hs-analytics.net https://js.hs-banner.com https://js.usemessages.com https://js.hubspot.com https://js.hubspotfeedback.com https://*.usercentrics.eu https://connect.facebook.net https://sst.shopware.com https://static.oktopost.com https://okt.to https://bat.bing.com https://snap.licdn.com https://tracking.g2crowd.com https://cdn.dreamdata.cloud https://googleads.g.doubleclick.net https://a.clarity.ms https://www.clarity.ms https://scripts.clarity.ms; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.usercentrics.eu; font-src 'self' data: https://fonts.gstatic.com https://*.usercentrics.eu; img-src 'self' data: blob: https:; media-src 'self' https:; frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com https://*.vwo.com https://*.visualwebsiteoptimizer.com https://*.hubspot.com https://forms.hubspot.com https://share.hsforms.com https://forms.hsforms.com https://meetings.hubspot.com https://*.usercentrics.eu https://player.simplecast.com https://sst.shopware.com https://www.googletagmanager.com; connect-src 'self' https://www.google-analytics.com https://analytics.google.com https://stats.g.doubleclick.net https://googleads.g.doubleclick.net https://*.googleads.g.doubleclick.net https://*.doubleclick.net https://www.youtube.com https://youtube.com https://www.youtube-nocookie.com https://i.ytimg.com https://s.ytimg.com https://cdn.contentful.com https://graphql.contentful.com https://images.ctfassets.net https://downloads.ctfassets.net https://dev.visualwebsiteoptimizer.com https://wingify.com https://*.hubspot.com https://api.hsforms.com https://track.hubspot.com https://*.usercentrics.eu https://aggregator.service.usercentrics.eu https://privacy-proxy.usercentrics.eu https://*.pusher.com https://*.oktopost.com https://bat.bing.com https://snap.licdn.com https://tracking.g2crowd.com https://cdn.dreamdata.cloud https://www.clarity.ms https://scripts.clarity.ms wss: https:; worker-src 'self' blob:; child-src 'self' blob: https:; manifest-src 'self';

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

geolocation=(), camera=(), microphone=(), payment=(), fullscreen=(self "https://www.youtube.com" "https://youtube.com"), accelerometer=(self "https://www.youtube.com" "https://youtube.com"), gyroscope=(self "https://www.youtube.com" "https://youtube.com"), magnetometer=(), usb=()

Recommendations

• Improve CSP by adding more specific directives and removing 'unsafe-inline'

Performance Headers

2 headers

Connection

Performance

close

Vary

Performance

Accept-Encoding

Caching Headers

3 headers

Cache-Control

Caching

s-maxage=7200, max-age=1200, stale-while-revalidate=86400

Etag

Caching

W/"GoEpolV6L9"

Last-Modified

Caching

Thu, 15 Jan 2026 12:30:45 GMT

Content Headers

2 headers

Content-Length

Content

1005184

Content-Type

Content

text/html;charset=utf-8

Server Headers

1 headers

X-Powered-By

Server

Shopware

CORS Headers

0 headers

No CORS headers found

Cookies Headers

1 headers

Set-Cookie

Cookies

ribbon_undefined=false; Max-Age=259200; Path=/; Secure; SameSite=Strict

Other Headers

8 headers

Alt-Svc

Other

h3=":443"; ma=86400

Date

Other

Thu, 15 Jan 2026 12:33:57 GMT

Via

Other

1.1 ddba5cc22287785323b6bcc96e4c3062.cloudfront.net (CloudFront)

X-Amz-Cf-Id

Other

l31JJ8tng5qXHS6Ig3aR7mqseX7RwO53WB3j8PPD7elE_PxZijOZmg==

X-Amz-Cf-Pop

Other

IAD61-P13

X-Cache

Other

Miss from cloudfront

X-Cache-Layer

Other

Amplify-Edge-PageBuilder-Catchall

X-Permitted-Cross-Domain-Policies

Other

none

Recommendations

Enable compression (gzip/brotli) to improve performance

Consider removing X-Powered-By header to hide server technology