DEV Community

Discussion on: How do you decide between security and speed?

Collapse
 
jankapunkt profile image
Jan Küster

How big is the speed disadvantage when CSP is active? Will it matter to your target audience?

Collapse
 
fleshmecha profile image

An HTTP request is ~600 ms in my experience. I would need at least two more requests to remove inline JS and CSS, which would add ~1.2s of load time. Youthful people care about speed, which is my target audience. I suppose that's my answer, thanks.

Collapse
 
jankapunkt profile image
Jan Küster

Have you measured this or is this an estimation? Which bandwidth did you use? Young people usually also care about a provider with good bandwidth. I would always favour security before performance. If you can prevent xss with.other mechanisms then it's fine. By the way this a typical use case for a beta test with a-b setup to see if CSP will really have an impact on user experience.