Category Archives: Web best Practices

Whether they are automated on DareBoost.com or not , find in details the best practices of web performance and quality. This area is also yours, don’t hesitate to suggest us a post of your own, or a topic you would like us to write about.

On the way to HTTP/2: what to expect for front-end development?

We have announced it a couple months ago: our web performance testing tool now fully supports HTTP/2 and our best practices repository has been updated to handle the particularities of this new protocol. Now, let’s go back to the reasons of HTTP/2 emergence and talk about the major changes this protocol brings, and these old HTTP/1 best practices that we will have to give up! Continue reading On the way to HTTP/2: what to expect for front-end development?

Why you should avoid using document.write, specifically for scripts injection

Web performance testing tools such as Google Page Speed or Dareboost have been advising this for a while: injecting a script with document.write has a significant impact on website loading time. Let’s talk about this topic one more time, as the next Chrome update (version 54) won’t allow such scripts injections any longer. What kind of issues may you experience? What are the alternatives?

Continue reading Why you should avoid using document.write, specifically for scripts injection

HTTPs is a requirement for your website

About a year ago, I have published an article about HTTPs usage growth: Chrome, Firefox and Google Search: HTTPS forcing its way. In this article I detailed some major announcements, that would probably result in pushing HTTPs forward.  

Ever since, requests using HTTPs reach 25% according to HttpArchive data (compared to 15% in April 2015).

In this post, we’re going to focus on today’s results of the previous announcements, on the last changes, and especially on why you should consider HTTPs as a requirement for your website (not only for security or SEO considerations!)

Continue reading HTTPs is a requirement for your website

Content Performance Policy: an alternative to Google AMP?

It’s not usual on this blog, but today I’m going to write about a proposal that might become real, but that is still at its very early stage.

It is now more than a year since we added a recommendation about Content Security Policy with our website analysis on dareboost.com. It’s a great feature to add more security to your website, particularly to prevent your visitors from the effects of an XSS attack.   

The idea behind CSP is to allow website owners to offer a security policy that will next be applied by the web browser. For instance, it allows to whitelist explicitly some JavaScript files, or to ensure the use of HTTPs to request each resource within the page.  

Tim Kaldec and Yoav Weiss borrowed the CSP general concept to apply it to web performance topic, proposing a new HTTP header (Content Performance Policy), allowing to declare precisely the compliance level of a given page with some web performance best practices. Then, the user agent would be responsible to ensure the effectiveness of the announced best practices.   Continue reading Content Performance Policy: an alternative to Google AMP?

Securing an iframe thanks to the sandbox attribute

Over time, we have gotten used to integrate more and more content on our web pages. Sometimes these content come from third parties (social networks widgets, advertising, etc). It implies two consequences: the webpages size continues to rise, and we display to the users some content that we can’t fully control.

Some of these external content are integrated via the <iframe> tag, and you should pay special attention to these elements for your website’s security. To limit the risks, the W3C added the sandbox attribute in the HTML5 specifications, allowing to restrict the actions available from an iframe (supported by major recent browsers).

sandbox attribute protects from malicious iframes

Continue reading Securing an iframe thanks to the sandbox attribute