Can Third-Party Scripts Take Down Your Entire Site?

1. Can Third-Party Scripts Take Down Your Entire Site? Tammy Everts O’Reilly Webcast – June 4, 2014

2. Conversions Ad revenue Page views Visitor data No need to re-invent the wheel Quick and easy Established Support Slide 2

3. Third-party calls can make up >50% of page requests. Slide 3 Steve Souders: http://www.fastly.com/blog/steve-souders-webperf-web-components/

4. Slide 4

5. Slide 5

6. Slide 6

7. Third-party scripts present risks to your pages and to your users: Outages Slowdowns Security (?) Slide 7

8. Slide 8

9. Slide 9

10. Increase page weight Increase number of hosts and connections Introduce additional latency Slide 10

11. Slide 11 832ms 1.788s918ms

12. Wait… what the heck is a fourth-party call? Slide 12

13. Slide 13 http://www.webperformancetoday.com/2011/07/14/fourth-party-calls-third-party-content/

14. Slide 14

15. 1. Audit your third-party scripts.

16. • Identify all third-party scripts • Know which pages they’re on • Find out what performance best practices, if any, each script uses (e.g., deferral, async loading) • Read the SLA for each provider (if they have one) Slide 16

17. Slide 17 http://www.webpagetest.org

18. Slide 18

19. http://www.webperformancetoday.com/2014/03/18/waterfalls-101-how-to-use-a-waterfall-chart-to-diagnose- performance-pains/ Slide 19

20. Slide 20

21. Slide 21

22. 2. Test for SPOFs.

23. The old, painful way: http://www.webperformancetoday.com/2011/10/13/how- vulnerable-is-your-site-to-third-party-failure/ Slide 23

24. Slide 24 The new, better way: https://chrome.google.com/webstore/search/spof-o-matic

25. Slide 25

26. Slide 26

27. Slide 27

28. Slide 28 SPOF: 22.7s Original: 3.5s

29. Slide 29

30. Slide 30

31. Slide 31

32. Slide 32

33. Slide 33 Original SPOF

34. https://www.optimizely.com/security Slide 34

35. Slide 35

36. Slide 36

37. Slide 37 Original SPOF

38. Blackhole test results fall into one of three groups: 1. SPOF page loads SLOWER than original page Fix: Deferral or async script 2. SPOF page loads FASTER than original page Fix: Talk to provider about script hosting 3. SPOF page times out. Fix: Same as #1 Slide 38

39. 3. Before you add a new script, research the provider.

40. • Response time and time to last byte • RT and TTLB from multiple locations • Average monthly downtime • Do they use a CDN? • If so, where are their caches located? Slide 40

41. 4. Read the provider’s service level agreement.

42. An ideal third-party SLA should: • Express monthly annual uptime guarantee as a percentage (ideally, as close to 100% as possible) • Explain how performance will be monitored and reported • Describe the process for reimbursing site owners (if site owners are paying for the service provided by the script) if uptime drops below the SLA guarantee Slide 42

43. 5. Perform a cost-benefit analysis.

44. Slide 44

45. Slide 45

46. 2-second slowdown = 14% conversion loss But… …if that same tool promises a 20% conversion increase, that = a net gain of 6% Slide 46

47. 6. Be ready to say no.

48. Slide 48

49. 7. Defer scripts whenever possible.

50. Slide 50

51. Pro: It’s a relatively easy fix. Con: It won’t work for all content. Slide 51

52. Slide 52

53. 8. Use asynchronous scripts.

54. Slide 54

55. Slide 55

56. Slide 56 Pro: Doesn’t block primary content. Cons: Can be tricky to program. Can mess up onLoad and make it difficult to see other problems.

57. http://www.stevesouders.com/blog/2009/04/27/loading-scripts-without-blocking/ Slide 57

58. Slide 58 http://calendar.perfplanet.com/2011/the-art-and-craft-of-the-async-snippet/

59. 9. Monitor constantly.

60. RUM/APM Tag management systems SPOF-o-matic No excuses. Slide 60

61. 10. Give feedback to providers.

62. Slide 62

63. Slide 63

64. 11. Know when to pull the plug.

65. Slide 65

66. Tammy Everts tammye@radware.com webperformancetoday.com twitter.com/tameverts Slide 66 Questions?

Can Third-Party Scripts Take Down Your Entire Site?

Radware

Can Third-Party Scripts Take Down Your Entire Site?