# Uncached JavaScript/CSS Resources Audit

**Last Updated:** 2026-03-18  
**Source:** ordio.com_uncached_javascript_and_css_files_20260221.csv, ordio.com_uncached_javascript_and_css_files_20260318.csv

## Summary

| Page | Resource | Type | Status |
|------|----------|------|--------|
| https://www.ordio.com/warenbestellung | https://js-eu1.hs-scripts.com/145133546.js | JavaScript | **Mitigated via Service Worker** |

## Findings

### HubSpot Tracking Script (js-eu1.hs-scripts.com/145133546.js)

**Nature:** Third-party script served from HubSpot's EU CDN.

**Why it appears uncached:**
- HubSpot controls Cache-Control headers on their CDN
- Ordio cannot modify response headers for external domains
- Many analytics/tracking scripts use short or no-cache to ensure updates propagate

**Mitigations applied:**
- ✅ Script loaded with `async` and `defer` (via `loadHubSpot()` in `v2/base/footer.php`)
- ✅ Consent-gated – loads only when user accepts HubSpot (Marketing & Chat)
- ✅ Preconnect with `crossorigin` on warenbestellung page
- ✅ DNS-prefetch for js-eu1.hs-scripts.com
- ✅ v2/base/head.php includes preconnect for all v2 pages
- ✅ **Service Worker registration on warenbestellung** (2026-03-18) – `html/warenbestellung.php` now registers the service worker so HubSpot script is served from cache on repeat visits

**Conclusion:** HubSpot cache headers cannot be changed. Mitigation: Service Worker caches the script client-side. The warenbestellung page (legacy html/) did not previously register the service worker; this has been added.

## References

- [GDPR_DSGVO_HUBSPOT_AUDIT.md](../systems/gdpr/GDPR_DSGVO_HUBSPOT_AUDIT.md) – HubSpot integration and consent flow
- [MCP_INTEGRATION.md](../development/MCP_INTEGRATION.md) – Lighthouse audits for performance validation