The hidden cost of CDN for static assets

CDN or Content Delivery Network is great. Probably they give you functionality like compressing & minify-ing your static assets on-the-fly, caching static assets for your end-user across the party, or setting you up some "static assets ceremony" so you don't need to deal with the build tools.

The most popular CDN to serve you some static assets are jsDevlir, cdnjs, unpkg, and Google Fonts CDN. Those services are great, free, and open source. I don't hate CDN but I will try to avoid it as possible.

CDN features

As the acronym said: Content Delivery Network. It will deliver you some content across the network. Not matter does your users are from Japan, Yogyakarta, California, or Semarang although your server was located at Jakarta, they all will get almost fast experience by conneting to the nearest edge.

So if one of my user is from California but my server is in Jakarta, they will get the same content like it come from the nearest their location (San Francisco for example). Also, CDN will do caching it for you. So your user will not hit your server again and again since the CDN provider have the cache for that.

Beside the core features, basically CDN will give you some additional feature like in Security. They will secure your server by hiding the real IP address, they will guard you from DDoS attack, etc.

CDN for static assets

Setting up new web project is quite overwhelm. First, you need some libraries. Second, you need some fancy fonts. Third, you need to deal with versioning so your users will get the right (and latest) assets you have.

To make your web fast, you need to deal with compression (like gzip & brotli), HTTP/2 thing, caching thing, SSL thing, etc. Fortunately, CDN basically has that feature. So although your web app only use HTTP, the CDN can serve your web in HTTPS via their load balancer. This is done using Flexible SSL like what Cloudflare did.

Back to the context, rather than we setup our new project manually (doing some curl, doing some yarn add, setup some gulp/webpack, etc), just load it from CDN is the best way to make prototype faster :)

The hidden cost?

First thing we should know is the little file that stored in our computer: Cookie. Almost all CDN require cookie, the 3rd-party cookie. One of the biggest CDN provider like Cloudflare will set you a cookie with _cfduid as a key. The value was just a hashed-anonymyzed end-user IP address to identify malicious user to their customer.

Since the Cloudflare business was not in personal data, this is not a big problem.

So, let's back to the context. Either Unpkg, CDNJS, and jsDelivr is using Cloudflare for one of their CDN services. Google Fonts CDN was using Google's in-house CDN obviously.

Let's see the interesting part of this. I only see Privacy Policy page on jsDelivr site. They don't collect any personal data, but they may collect any "Usage data", they said:

We may collect information how the Service is accessed and used ("Usage Data"). This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

So, if you visit my girlfriend page https://faultable.dev/dewi and if I'm using jsDelivr, you give them such information like:

  • Ip Address: Glad if you are using adblocker/tracker blocker :)
  • Browser type:
  • Browser version:
  • Page you visit:
  • Time and date:
  • Time spent on those page: seconds (if they mean is ticker) or second (if they mean page load)
  • Unique device identifier: (redacted)
  • Other: N/A

Those information is not useful until it is.

That's only from one service, I don't talk about another services and another services they depend (like analytics, for example).

Conclusion

I will avoid using CDN as I can especially if my target users is not world-wide. CDN is great in another case but for my case is not. I use Cloudflare for my DNS resolver but I don't use their CDN service since I use Traefik as my load balancer.

The hidden cost here is just some "information-sharing thing" that not necessary for you and your user.

But for me, it was.

My website is fast enough  and only load little dependencies. So, why should I use CDN if I can just curl -JOI and npx uglifyjs --compress --mangle something?

Thank you.