Security and performance: Breaking the conundrum

Description

While the focus has generally been on protecting users by blocking requests going to the origin, there is now a shift in trying to protect users at the browser while providing an optimal experience. There are other areas such as HTTP2 with the new concept of server push, where the focus is queuing up resources at the origin without being requested by the browser. This poses the question: “Where does security fit in?”, as we are still attempting to reduce the number of requests and focusing on the end user experience.

The goal of security is to ensure we protect the origin servers by blocking malicious requests going forward. The goal of front-end performance (not backbone) is to improve browser rendering for the end user by using several optimizations, one being reducing the number of HTTP requests, which increase load time.

With both goals defined, we can see that the implications of front-end optimization being applied to a website inherently reduces the need for security at the origin, as much of the rendering work is focused on the front end without needing to go back to the origin server. Additionally, through the use of certain front-end optimization techniques mentioned below, users can avoid some security risks that are involved in navigating between various pages in a site, clicking on third-party content, and filling out forms.

1. Code obfuscation
2. Leveraging the HTML5 local storage capabilities with specific reference to JavaScript resource consolidation
3. Iframe sandboxing to avoid phishing and injecting third party scripts
4. Cacheable Ajax (with non personalized data)
5. Asynchronous JavaScript (defer execution to the onload event)
6. Image lazy loading (the pros and cons)

Security benefits are observed at the browser level through the use of the above optimizations that enhance the end-user experience.