DEV Community

〄

Posted on

1

How do you decide between security and speed?

This is a question for people who have enabled a Content Security Policy header on their website.

Using Content Security Policy headers requires you to remove all inline CSS and Javascript, which is why I have not done it.

Inline CSS and Javascript is critical for speed. How do you balance this?

This is a huge dilemma for me, because reducing HTTP requests by inlining CSS/JS makes the site faster.

However, I've read so many articles saying that a Content Security Policy is your number one defense against cross site scripting (XSS) attacks.

What to do?

Top comments (3)

Collapse
 
jankapunkt profile image
Jan Küster 🔥

How big is the speed disadvantage when CSP is active? Will it matter to your target audience?

Collapse
 
fleshmecha profile image

An HTTP request is ~600 ms in my experience. I would need at least two more requests to remove inline JS and CSS, which would add ~1.2s of load time. Youthful people care about speed, which is my target audience. I suppose that's my answer, thanks.

Collapse
 
jankapunkt profile image
Jan Küster 🔥

Have you measured this or is this an estimation? Which bandwidth did you use? Young people usually also care about a provider with good bandwidth. I would always favour security before performance. If you can prevent xss with.other mechanisms then it's fine. By the way this a typical use case for a beta test with a-b setup to see if CSP will really have an impact on user experience.