Open
Cached
·
9m ago
21
Headers
HTTP Security Headers
Status
Strict-Transport-Security
Present
max-age=15552000; includeSubDomains
Content-Security-Policy
Basic
script-src; worker-src; script-src-attr; +14 more
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.2mdn.net *.theoplayer.com *.youtube.com cdnjs.cloudflare.com vjs.zencdn.net static.tagboard.com *.minute.ly blob: *.flourish.studio *.appsflyer.com fifa.eu.qualtrics.com *.fifa.com *.adnxs.com *.crwdcntrl.net *.doubleclick.net *.doubleclick.com *.googleadservices.com *.googleapis.com *.googlesyndication.com *.googletagmanager.com *.googletagservices.com *.googleanalytics.com *.googlevideo.com *.tpcsyndication.com *.nice264.com *.npaw.com *.tealiumiq.com *.tiqcdn.cn *.tiqcdn.com *.youbora.com *.youborafds01.com *.youboranqs01.com *.youboranqs02.com *.gstatic.com adservice.google.cn adservice.google.co.uk adservice.google.com adservice.google.es analytics.twitter.com assets.adobedtm.com cdn.cookielaw.org connect.facebook.net dc.services.visualstudio.com dpm.demdex.net fifa.hb-api.omtrdc.net platform.twitter.com sc-static.net static.ads-twitter.com tr.snapchat.com *.conviva.com *.instagram.com *.tiktok.com *.ttwstatic.com *.tiktokcdn.com *.tiktokcdn-us.com *.2mdn.net *.fifa.gg api.pingone.eu walls.io *.minute.ly *.pingone.com *.pingone.eu *.google.com *.google.ad *.google.ae *.google.com.af *.google.com.ag *.google.com.ai *.google.al *.google.am *.google.co.ao *.google.com.ar *.google.as *.google.at *.google.com.au *.google.az *.google.ba *.google.com.bd *.google.be *.google.bf *.google.bg *.google.com.bh *.google.bi *.google.bj *.google.com.bn *.google.com.bo *.google.com.br *.google.bs *.google.bt *.google.co.bw *.google.by *.google.com.bz *.google.ca *.google.cd *.google.cf *.google.cg *.google.ch *.google.ci *.google.co.ck *.google.cl *.google.cm *.google.cn *.google.com.co *.google.co.cr *.google.com.cu *.google.cv *.google.com.cy *.google.cz *.google.de *.google.dj *.google.dk *.google.dm *.google.com.do *.google.dz *.google.com.ec *.google.ee *.google.com.eg *.google.es *.google.com.et *.google.fi *.google.com.fj *.google.fm *.google.fr *.google.ga *.google.ge *.google.gg *.google.com.gh *.google.com.gi *.google.gl *.google.gm *.google.gr *.google.com.gt *.google.gy *.google.com.hk *.google.hn *.google.hr *.google.ht *.google.hu *.google.co.id *.google.ie *.google.co.il *.google.im *.google.co.in *.google.iq *.google.is *.google.it *.google.je *.google.com.jm *.google.jo *.google.co.jp *.google.co.ke *.google.com.kh *.google.ki *.google.kg *.google.co.kr *.google.com.kw *.google.kz *.google.la *.google.com.lb *.google.li *.google.lk *.google.co.ls *.google.lt *.google.lu *.google.lv *.google.com.ly *.google.co.ma *.google.md *.google.me *.google.mg *.google.mk *.google.ml *.google.com.mm *.google.mn *.google.ms *.google.com.mt *.google.mu *.google.mv *.google.mw *.google.com.mx *.google.com.my *.google.co.mz *.google.com.na *.google.com.ng *.google.com.ni *.google.ne *.google.nl *.google.no *.google.com.np *.google.nr *.google.nu *.google.co.nz *.google.com.om *.google.com.pa *.google.com.pe *.google.com.pg *.google.com.ph *.google.com.pk *.google.pl *.google.pn *.google.com.pr *.google.ps *.google.pt *.google.com.py *.google.com.qa *.google.ro *.google.ru *.google.rw *.google.com.sa *.google.com.sb *.google.sc *.google.se *.google.com.sg *.google.sh *.google.si *.google.sk *.google.com.sl *.google.sn *.google.so *.google.sm *.google.sr *.google.st *.google.com.sv *.google.td *.google.tg *.google.co.th *.google.com.tj *.google.tl *.google.tm *.google.tn *.google.to *.google.com.tr *.google.tt *.google.com.tw *.google.co.tz *.google.com.ua *.google.co.ug *.google.co.uk *.google.com.uy *.google.co.uz *.google.com.vc *.google.co.ve *.google.vg *.google.co.vi *.google.com.vn *.google.vu *.google.ws *.google.rs *.google.co.za *.google.co.zm *.google.co.zw *.google.cat *.google.ly;worker-src 'self' blob:;script-src-attr 'unsafe-inline';default-src 'unsafe-inline' blob:;manifest-src 'self' 'unsafe-inline' blob:;style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com *.ttwstatic.com;img-src 'self' 'unsafe-inline' data: blob: *;media-src 'self' 'unsafe-inline' data: blob: *;connect-src 'self' localhost:* cxm-dev-gl-afd-001-apis-fifa-bcfmhrbneqb6e0ee.z01.azurefd.net fifa-rewards-webapp-dev-acp-hwbta4bza3a7gyau.westeurope-01.azurewebsites.net cxm-dev-gl-afd-001-apis-fifa.azurefd.net cxm-uat-gl-afd-001-apis-fifa.azurefd.net *.cloudfront.net *.fifa.gg *.fifa.org *.mycujoo.tv *.mcls.live *.p5cdn.com *.theoplayer.com *.youtube.com *.uplynk.com *.minute.ly *.onetrust.com mycujoo-static-fastly.images.mcls.live cpt-services-fastly.images.mcls.live mycujoo-assets-fastly.images.mcls.live m-tv-fastly.images.mcls.live mycujoo-thumbs-fastly.images.mcls.live wss://mls-rt.mycujoo.tv *.appsflyer.com *.flourish.studio cxm-dev-we-fas-001-search-api.azurewebsites.net cxm-uat-we-fas-001-search-api.azurewebsites.net fifa.eu.qualtrics.com gameday-uat.fifa.mangodev.co.uk gameday-prod.fifa.mangodev.co.uk *.fifa.com *.adnxs.com *.crwdcntrl.net *.doubleclick.net *.doubleclick.com *.googleadservices.com *.googleapis.com *.googlesyndication.com *.googletagmanager.com *.googletagservices.com *.googleanalytics.com *.googlevideo.com *.tpcsyndication.com *.nice264.com *.npaw.com *.tealiumiq.com *.tiqcdn.cn *.tiqcdn.com *.youbora.com *.youborafds01.com *.youboranqs01.com *.youboranqs02.com *.gstatic.com adservice.google.cn adservice.google.co.uk adservice.google.com adservice.google.es analytics.twitter.com assets.adobedtm.com cdn.cookielaw.org connect.facebook.net dc.services.visualstudio.com dpm.demdex.net fifa.hb-api.omtrdc.net platform.twitter.com sc-static.net static.ads-twitter.com tr.snapchat.com *.conviva.com *.instagram.com *.tiktok.com *.ttwstatic.com *.tiktokcdn.com *.tiktokcdn-us.com *.2mdn.net *.fifa.gg api.pingone.eu walls.io *.minute.ly *.pingone.com *.pingone.eu;frame-ancestors 'self' https://apps.monterosa.cloud https://mtsa-blog.fifa.com;frame-src 'self' *.fifa.com *.doubleclick.net *.googlesyndication.com *.googleapis.com *.theoplayer.com *.walls.io *.flourish.studio https://flo.uri.sh/ https://www.fifa.gg/ https://fifa.demdex.net/ https://tags.crwdcntrl.net/ https://tr.snapchat.com/ https://www.facebook.com/ https://m.facebook.com/ https://www.google.com/ https://www.youtube.com/ https://platform.twitter.com/ https://www.instagram.com/ https://scontent.cdninstagram.com/ https://www.tiktok.com/ https://fifa-interest-page-dev-app.azurewebsites.net https://fifa-interest-page-qa-app.azurewebsites.net/ https://fifa-interest-page-prd-app.azurewebsites.net/ https://fifa-registration-of-interest-qa-app.azurewebsites.net/ https://fifa-registration-of-interest-prd-app.azurewebsites.net/ https://apps.monterosa.cloud https://mtsa-blog.fifa.com https://embed.tagboard.com https://fifa.eu.qualtrics.com https://embed.podcasts.apple.com https://connect.us.app.pam.co https://www.airbnb.com https://www.airbnb.fr https://www.airbnb.es https://www.airbnb.de https://www.airbnb.pt https://www.airbnb.it https://www.airbnb.co.id https://www.airbnb.co.kr https://www.airbnb.jp https://ar.airbnb.com https://www.airbnb.ae/ https://www.airbnb.ca/ https://www.airbnb.co.in/ https://www.airbnb.co.nz/ https://www.airbnb.co.uk/ http://www.airbnb.co.za/ https://www.airbnb.com.au/ https://www.airbnb.com.sg/ https://www.airbnb.gy/ https://www.airbnb.ie/;form-action 'self' https://tr.snapchat.com/ https://www.facebook.com/;base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;object-src 'none';upgrade-insecure-requests
X-Frame-Options
Good
SAMEORIGIN
X-Content-Type-Options
Good
nosniff
Referrer-Policy
Good
no-referrer
Permissions-Policy
Missing
Not configured
Recommendations
- • Increase HSTS max-age to at least 1 year and add includeSubDomains
- • Improve CSP by adding more specific directives and removing 'unsafe-inline'
- • Consider adding Permissions-Policy to control browser features
Performance Headers
1 headers
Connection
Performance
close
Caching Headers
2 headers
Cache-Control
Caching
public, max-age=60
Etag
Caching
W/"1311-RfPnPrNDgBNlbWqclWi1w6SpG9Y"
Content Headers
2 headers
Content-Length
Content
4996
Content-Type
Content
text/html; charset=utf-8
Server Headers
0 headers
No server headers found
CORS Headers
2 headers
Access-Control-Allow-Credentials
Cors
true
Access-Control-Allow-Origin
Cors
*
Cookies Headers
1 headers
Set-Cookie
Cookies
bm_sz=565B44F8473F9B678146080440CB6A58~YAAQR2vcF+bmQCabAQAA4MXKsB6SRfTkr8ORINB2uD3kIBA6T/jarxamGsNbkBx+0HYzAZm2lqCSchp+0hil48aDtYNHnEOr3nOPh1fvfyu4UstKrQwOtEiU+fg1UHnViSWTnf8f1HGap2utp8zILRSV45fvFRVLX4oMfskV7B1i6owy2SWtRWBLJrs+3QE3Pp7krBgzDuwPup3/LLaYAJqsJ6X6E9p2ORo12OyBMpF2trhTsvXiEaTUEdKEDpQaMQy393e9AooQGropXqeneXcgMI42YFaeChWRLbif8amv35D1C1POH7wsgPicBE8KwBmoXH5uYprFT7Y+MaoO1S/Hgd78p0h1KR1ewqE=~4534839~3227953; Domain=.fifa.com; Path=/; Expires=Mon, 12 Jan 2026 10:00:37 GMT; Max-Age=14400
Other Headers
6 headers
Akamai-Grn
Other
0.476bdc17.1768197637.c8045d13
Date
Other
Mon, 12 Jan 2026 06:00:37 GMT
Request-Context
Other
appId=cid-v1:3c8c7fd6-ce5c-46d2-8055-0a053f49c436
X-Akamai-Transformed
Other
0 - 0 -
X-Fifa-Current-Age
Other
43
X-Fifa-Internal-Ttl
Other
60
Recommendations
Enable compression (gzip/brotli) to improve performance