惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Spread Privacy
Spread Privacy
K
Kaspersky official blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Forbes - Security
Forbes - Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
The Last Watchdog
The Last Watchdog
SecWiki News
SecWiki News
Attack and Defense Labs
Attack and Defense Labs
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
S
Secure Thoughts
WordPress大学
WordPress大学
Microsoft Security Blog
Microsoft Security Blog
P
Proofpoint News Feed
云风的 BLOG
云风的 BLOG
V
Visual Studio Blog
Security Latest
Security Latest
TaoSecurity Blog
TaoSecurity Blog
Cyberwarzone
Cyberwarzone
S
SegmentFault 最新的问题
Cloudbric
Cloudbric
aimingoo的专栏
aimingoo的专栏
S
Schneier on Security
N
Netflix TechBlog - Medium
MyScale Blog
MyScale Blog
T
The Blog of Author Tim Ferriss
H
Hacker News: Front Page
C
Cybersecurity and Infrastructure Security Agency CISA
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
AWS News Blog
AWS News Blog
AI
AI
G
GRAHAM CLULEY
IT之家
IT之家
P
Privacy & Cybersecurity Law Blog
L
Lohrmann on Cybersecurity
Last Week in AI
Last Week in AI
D
Docker
Recent Announcements
Recent Announcements
O
OpenAI News
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
S
Security @ Cisco Blogs
T
Troy Hunt's Blog
C
Check Point Blog
博客园 - 三生石上(FineUI控件)
A
About on SuperTechFans
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
N
News and Events Feed by Topic

CSS Wizardry

Front-End’s Missing Metric: The TBT Window Meet Your Users Where They Are with Obs.js Better Browser Caching with No-Vary-Search font-family Doesn’t Fall Back the Way You Think What Is CSS Containment and How Can I Use It? When All You Can Do Is All or Nothing, Do Nothing Obs.js: Context-Aware Web Performance for Everyone Low- and Mid-Tier Mobile for the Real World (2025) The Fastest Site in the Tour de France Making Sense of the Performance Extensibility API Why Do We Have a Cache-Control Request Header? HTML Is Not a Programming Language… Build for the Web, Build on the Web, Build with the Web Licensing Code on CSS Wizardry A Layered Approach to Speculation Rules Designing (and Evolving) a New Web Performance Score Core Web Vitals Colours The Ultimate Contract Templates for Tech Consultants: Protect Your Business and Get Paid Optimising for High Latency Environments Cache Grab: How Much Are You Leaving on the Table? blocking=render: Why would you do that?! Correctly Configure (Pre) Connections The Three Cs: 🤝 Concatenate, 🗜️ Compress, 🗳️ Cache What Is the Maximum max-age? How to Clear Cache and Cookies on a Customer’s Device The Ultimate Low-Quality Image Placeholder Technique Core Web Vitals for Search Engine Optimisation: What Do We Need to Know? The HTTP/1-liness of HTTP/2 In Defence of DOM­Content­Loaded Site-Speed Topography Remapped Why Not document.write()? Speeding Up Async Snippets Critical CSS? Not So Fast! Measure What You Impact, Not What You Influence Optimising Largest Contentful Paint Measuring Web Performance in Mobile Safari Site-Speed Topography Speed Up Google Fonts Real-World Effectiveness of Brotli Performance Budgets, Pragmatically Lazy Pre-Browsing with Prefetch Making Cloud.typography Fast(er) Time to First Byte: What It Is and How to Improve It Self-Host Your Static Assets Tips for Technical Interviews Cache-Control for Civilians Bandwidth or Latency: When to Optimise for Which ITCSS × Skillshare What If? CSS and Network Performance The Three Types of Performance Testing Getting to Know a Legacy Codebase Image Inconsistencies: How and When Browsers Download Images Identifying, Auditing, and Discussing Third Parties My Digital Music Setup Measuring the Hard-to-Measure Finding Dead CSS The Fallacies of Distributed Computing (Applied to Front-End Performance) Ten Years Old Relative Requirements Airplanes and Ashtrays Performance and Resilience: Stress-Testing Third Parties Refactoring Tunnels Little Things I Like to Do with Git Writing Tidy Code Configuring Git and Vim Base64 Encoding & Performance, Part 2: Gathering Data Base64 Encoding & Performance, Part 1: What’s Up with Base64? Code Smells in CSS Revisited Typography for Developers Ack for CSS Developers A New Year, a New Focus Preparing Vim for Apple’s Touch Bar Choosing the Correct Average CSS Shorthand Syntax Considered an Anti-Pattern CSS Wizardry Newsletter Nesting Your BEM? Improving Perceived Performance with Multiple Background Images Continue Normalising Your CSS Pure CSS Content Filter Pragmatic, Practical, and Progressive Theming with Custom Properties Refactoring CSS: The Three I’s Speaker’s Checklist: Before and After Your Talk Improving Your CSS with Parker The Importance of !important: Forcing Immutability in CSS Mixins Better for Performance Managing Typography on Large Apps White October Events Workshop Partnership BEMIT: Taking the BEM Naming Convention a Step Further Travelling Like You Want to, When You Have To Contextual Styling: UI Components, Nesting, and Implementation Detail Subtleties with Self-Chained Classes Cyclomatic Complexity: Logic in CSS Immutable CSS Can CSS Be Too Modular? More Transparent UI Code with Namespaces When to use @extend; when to use a mixin The Specificity Graph CSS Wizardry Ltd.: Year 1 in review CSS Guidelines 2.0.0
Moving CSS Wizardry onto HTTPS and HTTP/2
Harry Roberts · 2017-01-25 · via CSS Wizardry

Written by on CSS Wizardry.

Table of Contents

Independent writing is brought to you via my wonderful Supporters.

  1. HTTPS
  2. HTTP/2
  3. Browser Support
  4. What Next

Hopefully by now, you should be able to read this article over HTTPS and HTTP/2. (If that link doesn’t work, please hit your back button and let me know!) I made the switch yesterday, and all being well the new DNS settings have propagated through. At some point soon I will begin forcing all HTTP traffic to HTTPS.

The site is still built with Jekyll and hosted on GitHub Pages, but it’s now fronted by Cloudflare who offer a plethora of performance-related services. I was only really interested in HTTPS because it allows me to use, among other things, HTTP/21, Brotli, and Service Worker (I’m not actually using the latter two yet, but now at least I can CSS Wizardry is now running on a simple Service Worker!), and when my buddy James tipped me off as to just how simple the process is, I got stuck in and got it done.

As an aside, I had some issues specific to my domain registrar (not GitHub or Cloudflare) which my very good friend Steve helped out with. He’s a very talented software and Ops engineer who managed to solve in minutes a problem that had troubled me all day. Thanks, Steve!

HTTPS

My site is completely static; it doesn’t take any user input, there is no logic or scripting, no database, so I didn’t feel like the need for HTTPS from a security point of view was all that pressing2. However, HTTPS is a prerequisite for a number of other technologies, and having a secure site—regardless of its content—is never a bad thing. More on the first bit in a moment, but for now I want to talk a little about security.

I imagine that although most users won’t have much of an understanding as to the technical implications behind a secure or a not-secure site (I’m hesitant to use the word insecure), they are becoming aware that there is such thing as security. With Google’s intent to mark certain webpages as insecure, and the general increase in awareness, users do know that secure websites are a thing. The implication, therefore, is that any site that isn’t explicitly marked as being secure must be insecure (whether that’s actually the case or not).

To this end, I think that HTTPS is as much an exercise in branding and trust as it is in security, and that it will steadily become more and more ubiquitous. This is only a good thing.

Further, HTTPS is required in order for certain other technologies to be utilised:

  • Brotli, an improved compression algorithm from Google, needs to run over HTTPS because of third parties (ISPs, proxies, etc.) infamously trying to recompress already compressed transfer. By preventing them getting at it in the first place, it means that they can’t try running gzip over a new, unknown content encoding (e.g. Brotli).
  • Service Worker absolutely needs to run over HTTPS, because it’s basically a man in the middle. We’re building a proxy that sits in between our users and our servers, so the need for security there should be pretty clear.

HTTP/2

HTTP/2 (or H2, as it’s commonly referred to) is a vast, vast improvement on the HTTP/1.1 protocol that we’ve been using for almost two decades. It brings many benefits to both developers and users, but many of its best features are centred around performance:

  • Compressed headers: HTTP/1.1 sends its headers uncompressed, which creates a surprising amount of overhead. HTTP/2 reduces that by compressing the response headers as well as the response body.
  • Multiplexing: get around head of line blocking and lack of parallelisation by sending multiple assets asynchronously over the same TCP connection.
  • Server push: allows developers to send late requested assets preemptively.

A lot of HTTP/2’s additions will moot the domain sharding, concatenating, and inlining strategies we came up with as hacks, and will instead allow us to deliver faster experiences with simpler architectures: we can optimise assets all we like, but there is no denying that HTTP/2 gives developers an astounding performance boost right out of the box.

Currently I’m not making that much use of anything HTTP/2 offers me other than multiplexing and header compression (because I didn’t even have to lift a finger for those). My site is already pretty slim, and I’m serving so few assets that one could almost argue over-engineering, but one really great example of where I will benefit from HTTP/2 multiplexing is this relatively large list of images on the homepage.

Browser Support

Support for HTTP/2 is pretty good, and always improving. Servers capable of serving over HTTP/2 will also still deliver to HTTP/1.x clients, so nothing will break.

However, it might not be time for your company to switch over too. Unfortunately, HTTP/2 best practices become bad practices in HTTP/1.1, and HTTP/1.1 best practices become bad practices in HTTP/2. Optimising for one will be detrimental to the other, and it’s pretty hard to satisfy both camps.

Fortunately for me, looking at the data, over the past 24 months over 85% of CSS Wizardry’s traffic has come from a browser that supports HTTP/2. For me it’s pretty clear that using HTTP/2 is the right decision. Other companies (government, ecommerce, etc.) might not have quite such a clear cut view.

What Next

Next up, I can look at implementing I have now implemented a simple Service Worker to provide better caching strategies, as well as a simple offline page for users on poor or non-existent connections. I should also look into splitting up my CSS into more granular, individually cacheable chunks.

Unfortunately, given that I am still hosting on GitHub Pages, I am limited in how much I can implement. Things like enabling Brotli will have to be done by Cloudflare, and utilising Server Push would require access to server-level configuration. That stuff will have to wait, but I can probably manage without it whilst I’m serving up a flat-file website with such a small footprint in the first place.


With all of this said, despite HTTP/2’s clearly superior approach to optimising user experiences, there is still great need for fundamental performance knowledge within teams: optimising assets, structuring more elegant delivery, and building to support non-HTTP/2 environments are all still very important.

If you’d like any advice or help with any of the above, I am lining up performance consultancy work for Q2 onward. Get in touch.