davidbgk
/
larlet-fr-david-cache
Watch 1
Star 0
Fork 0
Code Releases 0 Activity
A place to cache linked articles (think custom and personal wayback machine)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
58 Commits
1 Branch
Tree: 1599e90c79
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1599e90c79'
${ noResults }
larlet-fr-david-cache/cache/6f8793385f7b1ea2511bf614b52.../index.md

index.md 17KB
Raw Normal View History

Add cache data
4 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263 
  1. title: Self-Host Your Static Assets

  2. url: https://csswizardry.com/2019/05/self-host-your-static-assets/

  3. hash_url: 6f8793385f7b1ea2511bf614b5287397

  4. 

  5. <details>

  6. <summary>Table of Contents</summary>

  7. <ol>

  8. <li><a href="#what-am-i-talking-about">What Am I Talking About?</a></li>

  9. <li><a href="#risk-slowdowns-and-outages">Risk: Slowdowns and Outages</a></li>

  10. <li><a href="#risk-service-shutdowns">Risk: Service Shutdowns</a></li>

  11. <li><a href="#risk-security-vulnerabilities">Risk: Security Vulnerabilities</a>

  12. <ol>

  13. <li><a href="#mitigation-subresource-integrity">Mitigation: Subresource Integrity</a></li>

  14. </ol>

  15. </li>

  16. <li><a href="#penalty-network-negotiation">Penalty: Network Negotiation</a>

  17. <ol>

  18. <li><a href="#mitigation-preconnect">Mitigation: <code class="highlighter-rouge">preconnect</code></a></li>

  19. </ol>

  20. </li>

  21. <li><a href="#penalty-loss-of-prioritisation">Penalty: Loss of Prioritisation</a></li>

  22. <li><a href="#penalty-caching">Penalty: Caching</a></li>

  23. <li><a href="#myth-cross-domain-caching">Myth: Cross-Domain Caching</a></li>

  24. <li><a href="#myth-access-to-a-cdn">Myth: Access to a CDN</a></li>

  25. <li><a href="#self-host-your-static-assets">Self-Host Your Static Assets</a></li>

  26. </ol>

  27. </details>

  28. <p>One of the quickest wins—and one of the first things I recommend my clients

  29. do—to make websites faster can at first seem counter-intuitive: you should

  30. self-host all of your static assets, forgoing others’ CDNs/infrastructure. In

  31. this short and hopefully very straightforward post, I want to outline the

  32. disadvantages of hosting your static assets ‘off-site’, and the overwhelming

  33. benefits of hosting them on your own origin.</p>

  34. <h2 id="what-am-i-talking-about">What Am I Talking About?</h2>

  35. <p>It’s not uncommon for developers to link to static assets such as libraries or

  36. plugins that are hosted at a public/CDN URL. A classic example is jQuery, that

  37. we might link to like so:</p>

  38. <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"&gt;&lt;/script&gt;

  39. </code></pre></div></div>

  40. <p>There are a number of perceived benefits to doing this, but my aim later in this

  41. article is to either debunk these claims, or show how other costs vastly

  42. outweigh them.</p>

  43. <ul>

  44. <li><strong>It’s convenient.</strong> It requires very little effort or brainpower to include

  45. files like this. Copy and paste a line of HTML and you’re done. Easy.</li>

  46. <li><strong>We get access to a CDN.</strong> <code class="highlighter-rouge">code.jquery.com</code> is served by

  47. <a href="https://www.stackpath.com/products/cdn/">StackPath</a>, a CDN. By linking to

  48. assets on this origin, we get CDN-quality delivery, free!</li>

  49. <li><strong>Users might already have the file cached.</strong> If <code class="highlighter-rouge">website-a.com</code> links to

  50. <code class="highlighter-rouge">https://code.jquery.com/jquery-3.3.1.slim.min.js</code>, and a user goes from there

  51. to <code class="highlighter-rouge">website-b.com</code> who also links to

  52. <code class="highlighter-rouge">https://code.jquery.com/jquery-3.3.1.slim.min.js</code>, then the user will already

  53. have that file in their cache.</li>

  54. </ul>

  55. <h2 id="risk-slowdowns-and-outages">Risk: Slowdowns and Outages</h2>

  56. <p>I won’t go into too much detail in this post, because I have a <a href="https://csswizardry.com/2017/07/performance-and-resilience-stress-testing-third-parties/">whole

  57. article</a>

  58. on the subject of third party resilience and the risks associated with slowdowns

  59. and outages. Suffice to say, if you have any critical assets served by third

  60. party providers, and that provider is suffering slowdowns or, heaven forbid,

  61. outages, it’s pretty bleak news for you. You’re going to suffer, too.</p>

  62. <p>If you have any render-blocking CSS or synchronous JS hosted on third party

  63. domains, go and bring it onto your own infrastructure <em>right now</em>. Critical

  64. assets are far too valuable to leave on someone else’s servers.</p>

  65. <h2 id="risk-service-shutdowns">Risk: Service Shutdowns</h2>

  66. <p>A far less common occurrence, but what happens if a provider decides they need

  67. to shut down the service? This is exactly what <a href="https://rawgit.com">Rawgit</a> did

  68. in October 2018, yet (at the time of writing) a crude GitHub code search still

  69. yielded <a href="https://github.com/search?q=rawgit&amp;type=Code">over a million

  70. references</a> to the now-sunset

  71. service, and almost 20,000 live sites are still linking to it!</p>

  72. <figure>

  73. <img src="/wp-content/uploads/2019/05/big-query-rawgit.jpg" alt=""/>

  74. <figcaption>Many thanks to <a href="https://twitter.com/paulcalvano">Paul

  75. Calvano</a> who very kindly <a href="https://bigquery.cloud.google.com/savedquery/226352634162:7c27aa5bac804a6687f58db792c021ee">queried

  76. the HTTPArchive</a> for me.</figcaption>

  77. </figure>

  78. <h2 id="risk-security-vulnerabilities">Risk: Security Vulnerabilities</h2>

  79. <p>Another thing to take into consideration is the simple question of trust. If

  80. we’re bringing content from external sources onto our page, we have to hope that

  81. the assets that arrive are the ones we were expecting them to be, and that

  82. they’re doing only what we expected them to do.</p>

  83. <p>Imagine the damage that would be caused if someone managed to take control of

  84. a provider such as <code class="highlighter-rouge">code.jquery.com</code> and began serving compromised or malicious

  85. payloads. It doesn’t bear thinking about!</p>

  86. <h3 id="mitigation-subresource-integrity">Mitigation: Subresource Integrity</h3>

  87. <p>To the credit of all of the providers referenced so far in this article, they do

  88. all make use of <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity">Subresource

  89. Integrity</a>

  90. (SRI). SRI is a mechanism by which the provider supplies a hash (technically,

  91. a hash that is then Base64 encoded) of the exact file that you both expect and

  92. intend to use. The browser can then check that the file you received is indeed

  93. the one you requested.</p>

  94. <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;script src="https://code.jquery.com/jquery-3.4.1.slim.min.js"

  95.         integrity="sha256-pasqAKBDmFT4eHoN2ndd6lN370kFiGUFyTiUHWhU7k8="

  96.         crossorigin="anonymous"&gt;&lt;/script&gt;

  97. </code></pre></div></div>

  98. <p>Again, if you absolutely must link to an externally hosted static asset, make

  99. sure it’s SRI-enabled. You can add SRI yourself using <a href="https://www.srihash.org/">this handy

  100. generator</a>.</p>

  101. <h2 id="penalty-network-negotiation">Penalty: Network Negotiation</h2>

  102. <p>One of the biggest and most immediate penalties we pay is the cost of opening

  103. new TCP connections. Every new origin we need to visit needs a connection

  104. opening, and that can be very costly: DNS resolution, TCP handshakes, and TLS

  105. negotiation all add up, and the story gets worse the higher the latency of the

  106. connection is.</p>

  107. <p>I’m going to use an example taken straight from Bootstrap’s own <a href="https://getbootstrap.com/docs/4.3/getting-started/introduction/">Getting

  108. Started</a>. They

  109. instruct users to include these following four files:</p>

  110. <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="..." crossorigin="anonymous"&gt;

  111. &lt;script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="..." crossorigin="anonymous"&gt;&lt;/script&gt;

  112. &lt;script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="..." crossorigin="anonymous"&gt;&lt;/script&gt;

  113. &lt;script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="..." crossorigin="anonymous"&gt;&lt;/script&gt;

  114. </code></pre></div></div>

  115. <p>These four files are hosted across three different origins, so we’re going to

  116. need to open three TCP connections. How much does that cost?</p>

  117. <p>Well, on a reasonably fast connection, hosting these static assets off-site is

  118. 311ms, or 1.65×, slower than hosting them ourselves.</p>

  119. <figure>

  120. <img src="/wp-content/uploads/2019/05/wpt-off-site-cable.png" alt=""/>

  121. <figcaption>By linking to three different origins in order to serve static

  122. assets, we cumulatively lose a needless 805ms to network negotiation. <a href="https://www.webpagetest.org/result/190531_FY_618f9076491312ef625cf2b1a51167ae/3/details/">Full

  123. test.</a></figcaption>

  124. </figure>

  125. <p>Okay, so not exactly terrifying, but Trainline, a client of mine, found that by

  126. reducing latency by 300ms, <a href="https://wpostats.com/2016/05/04/trainline-spending.html">customers spent an extra £8m

  127. a year</a>. This is

  128. a pretty quick way to make eight mill.</p>

  129. <figure>

  130. <img src="/wp-content/uploads/2019/05/wpt-self-hosted-cable.png" alt=""/>

  131. <figcaption>By simply moving our assets onto the host domain, we completely

  132. remove any extra connection overhead. <a href="https://www.webpagetest.org/result/190531_FX_f7d7b8ae511b02aabc7fa0bbef0e37bc/3/details/">Full

  133. test.</a></figcaption>

  134. </figure>

  135. <p>On a slower, higher-latency connection, the story is much, much worse. Over 3G,

  136. the externally-hosted version comes in at an eye-watering <strong>1.765s slower</strong>.

  137. I thought this was meant to make our site faster?!</p>

  138. <figure>

  139. <img src="/wp-content/uploads/2019/05/wpt-off-site-3g.png" alt=""/>

  140. <figcaption>On a high latency connection, network overhead totals a whopping

  141. 5.037s. All completely avoidable. <a href="https://www.webpagetest.org/result/190531_XE_a95eebddd2346f8bb572cecf4a8dae68/3/details/">Full

  142. test.</a></figcaption>

  143. </figure>

  144. <p>Moving the assets onto our own infrastructure brings load times down from around

  145. 5.4s to just 3.6s.</p>

  146. <figure>

  147. <img src="/wp-content/uploads/2019/05/wpt-self-hosted-3g.png" alt=""/>

  148. <figcaption>By self-hosting our static assets, we don’t need to open any more

  149. connections. <a href="https://www.webpagetest.org/result/190531_ZF_4d76740567ec1eba1e6ec67acfd57627/1/details/">Full

  150. test.</a></figcaption>

  151. </figure>

  152. <p>If this isn’t already a compelling enough reason to self-host your static

  153. assets, I’m not sure what is!</p>

  154. <h3 id="mitigation-preconnect">Mitigation: <code class="highlighter-rouge">preconnect</code></h3>

  155. <p>Naturally, my whole point here is that you should not host any static assets

  156. off-site if you’re otherwise able to self-host them. However, if your hands are

  157. somehow tied, then you can use <a href="https://speakerdeck.com/csswizardry/more-than-you-ever-wanted-to-know-about-resource-hints?slide=28">a <code class="highlighter-rouge">preconnect</code> Resource

  158. Hint</a>

  159. to preemptively open a TCP connection to the specified origin(s):</p>

  160. <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;head&gt;

  161. 

  162.   ...

  163. 

  164.   &lt;link rel="preconnect" href="https://code.jquery.com" /&gt;

  165. 

  166.   ...

  167. 

  168. &lt;/head&gt;

  169. </code></pre></div></div>

  170. <p>For bonus points, deploying these as <a href="https://andydavies.me/blog/2019/03/22/improving-perceived-performance-with-a-link-rel-equals-preconnect-http-header/">HTTP

  171. headers</a>

  172. will be even faster.</p>

  173. <p><strong>N.B.</strong> Even if you do implement <code class="highlighter-rouge">preconnect</code>, you’re still only going to make

  174. a small dent in your lost time: you still need to open the relevant connections,

  175. and, especially on high latency connections, it’s unlikely that you’re ever

  176. going to fully pay off the overhead upfront.</p>

  177. <h2 id="penalty-loss-of-prioritisation">Penalty: Loss of Prioritisation</h2>

  178. <p>The second penalty comes in the form of a protocol-level optimisation that we

  179. miss out on the moment we split content across domains. If you’re running over

  180. HTTP/2—which, by now, you should be—you get access to prioritisation. All

  181. streams (ergo, resources) within the same TCP connection carry a priority, and

  182. the browser and server work in tandem to build a dependency tree of all of these

  183. prioritised streams so that we can return critical assets sooner, and perhaps

  184. delay the delivery of less important ones.</p>

  185. <p><small><strong>N.B.</strong> Technically, owing to H/2’s <a href="https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/">connection

  186. coalescence</a>,

  187. requests can be prioritised against each other over different domains as long as

  188. they share the same IP address.</small></p>

  189. <p>If we split our assets across multiple domains, we have to open up several

  190. unique TCP connections. We cannot cross-reference any of the priorities within

  191. these connections, so we lose the ability to deliver assets in a considered and

  192. well designed manner.</p>

  193. <p>Compare the two HTTP/2 dependency trees for both the off-site and self-hosted

  194. versions respectively:</p>

  195. <figure>

  196. <img src="/wp-content/uploads/2019/05/wpt-dep-tree-off-site.png" alt=""/>

  197. <figcaption>Notice how we need to build new dependency trees per

  198. origin? Stream IDs 1 and 3 keep reoccurring.</figcaption>

  199. </figure>

  200. <figure>

  201. <img src="/wp-content/uploads/2019/05/wpt-dep-tree-self-hosted.png" alt=""/>

  202. <figcaption>By hosting all content under the same origin, we can build one, more

  203. complete dependency tree. Every stream has a unique ID as they’re all in the

  204. same tree.</figcaption>

  205. </figure>

  206. <p><small>Fun fact: Stream IDs with an odd number were initiated by the client;

  207. those with an even number were initiated by the server. I honestly don’t think

  208. I’ve ever seen an even-numbered ID in the wild.</small></p>

  209. <p>If we serve as much content as possible from one domain, we can let H/2 do its

  210. thing and prioritise assets more completely in the hopes of better-timed

  211. responses.</p>

  212. <h2 id="penalty-caching">Penalty: Caching</h2>

  213. <p>By and large, static asset hosts seem to do pretty well at establishing

  214. long-lived <code class="highlighter-rouge">max-age</code> directives. This makes sense, as static assets at versioned

  215. URLs (as above) will never change. This makes it very safe and sensible to

  216. enforce a reasonably aggressive cache policy.</p>

  217. <p>That said, this isn’t always the case, and by self-hosting your assets you can

  218. design <a href="https://csswizardry.com/2019/03/cache-control-for-civilians/">much more bespoke caching

  219. strategies</a>.</p>

  220. <h2 id="myth-cross-domain-caching">Myth: Cross-Domain Caching</h2>

  221. <p>A more interesting take is the power of cross-domain caching of assets. That is

  222. to say, if lots and lots of sites link to the same CDN-hosted version of, say,

  223. jQuery, then surely users are likely to already have that exact file on their

  224. machine already? Kinda like peer-to-peer resource sharing. This is one of the

  225. most common arguments I hear in favour of using a third-party static asset

  226. provider.</p>

  227. <p>Unfortunately, there seems to be no published evidence that backs up these

  228. claims: there is nothing to suggest that this is indeed the case. Conversely,

  229. <a href="https://discuss.httparchive.org/t/analyzing-resource-age-by-content-type/1659">recent

  230. research</a>

  231. by <a href="https://twitter.com/paulcalvano">Paul Calvano</a> hints that the opposite might

  232. be the case:</p>

  233. <blockquote>

  234. <p>There is a significant gap in the 1st vs 3rd party resource age of CSS and web

  235. fonts. 95% of first party fonts are older than 1 week compared to 50% of 3rd

  236. party fonts which are less than 1 week old! This makes a strong case for self

  237. hosting web fonts!</p>

  238. </blockquote>

  239. <p>In general, third party content seems to be less-well cached than first party

  240. content.</p>

  241. <p>Even more importantly, <a href="https://andydavies.me/blog/2018/09/06/safari-caching-and-3rd-party-resources/">Safari has completely disabled this

  242. feature</a>

  243. for fear of abuse where privacy is concerned, so the shared cache technique

  244. cannot work for, at the time of writing, <a href="http://gs.statcounter.com/">16% of users

  245. worldwide</a>.</p>

  246. <p>In short, although nice in theory, there is no evidence that cross-domain

  247. caching is in any way effective.</p>

  248. <h2 id="myth-access-to-a-cdn">Myth: Access to a CDN</h2>

  249. <p>Another commonly touted benefit of using a static asset provider is that they’re

  250. likely to be running beefy infrastructure with CDN capabilities: globally

  251. distributed, scalable, low-latency, high availability.</p>

  252. <p>While this is absolutely true, if you care about performance, you should be

  253. running your own content from a CDN already. With the price of modern hosting

  254. solutions being what they are (this site is fronted by Cloudflare which is

  255. free), there’s very little excuse for not serving your own assets from one.</p>

  256. <p>Put another way: if you think you need a CDN for your jQuery, you’ll need a CDN

  257. for everything. Go and get one.</p>

  258. <h2 id="self-host-your-static-assets">Self-Host Your Static Assets</h2>

  259. <p>There really is very little reason to leave your static assets on anyone else’s

  260. infrastructure. The perceived benefits are often a myth, and even if they

  261. weren’t, the trade-offs simply aren’t worth it. Loading assets from multiple

  262. origins is demonstrably slower. Take ten minutes over the next few days to audit

  263. your projects, and fetch any off-site static assets under your own control.</p>