Should you change how you serve static assets?
On the 15th of June, I wrote a thread on my Mastodon account:
For one, Cloudflare censors people, depending on their country. Using this means you're trusting two third parties: Cloudflare and the CDN provider.
So a MITM attack is quite possible here.
If you do it the sensible thing and host it on your own server, YOU choose who you deliver that content to.
Also, you have just removed a huge attack vector from your site.
Giving a random third party access to script execution on your website means they can really run anything if they want to.
I also find it quite scary that a large partition of the web relies on these CDNs. Let's stop, and decentralize it by not using them.
Centralization is not the answer, it's their answer. Just because it's the new flashy toy, it doesn't mean you have to follow it.
I'd like to expand on that concept, and clarify a few misconceptions.
First off, while snazzy caching features could theoretically make your website load quicker...
One of the main reasons of using a CDN is cookies.
When a server responds to a request, it normally sends down a
Cookie header. Then, when the browser makes another response to the server, the same
Cookie header is sent. This is particularly useful for exchanging data between the client and the server.
Cookies sound great!
But there's a problem...
example.com's server sets a cookie. On every request, the browser has to send this. This will, of course, create a delay, where the browser has to search the cache or read from your much slower hard drive.
That's why some companies have two domains: their main domain (
example.com), and a separate hostname for assets:
There is a quick solution to this, though: if you use
www.example.com, the cookies stored in that scope won't be accessible by
static.example.com. This would make the request size much smaller, and faster.
Balance out the facts, and decide what's best for you.