English
Español
Development6 min read
WPO and Security: speed and defence are not opposites.
Why performance is also security
A slow website does not just frustrate users — it is also more vulnerable. Outdated JavaScript libraries accumulated in pursuit of "functionality" create a larger attack surface. Lack of HTTP/2 exposes to MITM attacks. Uncontrolled third-party resources are supply chain attack vectors.
Optimising web performance — removing unnecessary dependencies, applying Content Security Policy (CSP), and managing cache properly — has the double effect of improving user experience AND reducing the attack surface.
Core Web Vitals: the metrics Google measures
LCP
Largest Contentful Paint
Measures when the largest visual element on the page is visible. Target: < 2.5 seconds. Improve with: WebP images, font preload, CDN.
INP
Interaction to Next Paint
Replaced FID in 2024. Measures the latency of all user interactions, not just the first. Target: < 200ms. Improve by reducing blocking JS.
CLS
Cumulative Layout Shift
Measures visual stability — how much elements shift during loading. Target: < 0.1. Common cause: images without defined dimensions or ads pushing content.
TTFB
Time to First Byte
Server response time. Target: < 800ms. Improve with: server cache (Redis/Varnish), DB query optimisation, CDN edge.
.htaccess config: cache, compression and
security headers
This configuration combines performance optimisation with security hardening. Both goals are not only compatible — they reinforce each other.
# .htaccess — Cache + Compression + Security HeadersAddOutputFilterByType DEFLATE text/html text/css AddOutputFilterByType DEFLATE application/javascript application/json AddOutputFilterByType DEFLATE image/svg+xml font/woff2 # Immutable assets (with hash in filename) Header set Cache-Control "public, max-age=31536000, immutable" # HTML no cacheHeader set Cache-Control "no-cache, must-revalidate" # Security Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
"A fast website is not just a competitive advantage. It is a signal that the development team knows what they are doing."
Zenith — Primitive Security
WPO roadmap
- 01
Initial audit — PageSpeed Insights + WebPageTest + GTmetrix. Identify Quick Wins with the greatest impact.
- 02
Images and fonts — Convert to WebP/AVIF. Lazy loading. Font subsetting. Preload critical resources.
- 03
JavaScript — Code splitting, tree shaking, defer/async. Remove polyfills for modern browsers.
- 04
Server and network — HTTP/2 or HTTP/3, CDN, edge caching, Brotli compression, HSTS preload.
- 05
Continuous monitoring — Real User Monitoring (RUM) with performance regression alerts on every deploy.
