Measured in your browserWe advise on speed. We practice it.Loaded just now · real numbers from this visit, not a lab score.
Page loaded
First byte
DOM ready
First paint
Largest paint
DNS lookup
TLS handshake
Transferred
Saved by compression
Requests

Fonts and third-party assets sit in a policy gap: not quite yours, so nobody versions, subsets or caches them deliberately — while they block rendering and dodge every rule in your caching table. This guide closes the gap: self-host and subset the fonts, understand why cache partitioning ended the shared-CDN myth, and pull the third-party tail under your own policy.

Fonts: self-host and subset

Fonts deserve first-party treatment: self-host them on your own delivery hostname, in WOFF2 only (it is the universal modern format and internally compressed — no further edge compression, per the compression guide), hashed and versioned like any asset from the versioning pipeline, with the immutable year-long headers that follow. Then subset: a typical font family ships glyphs for scripts and features you never render, and subsetting to your actual character ranges (unicode-range splitting for multi-script sites, so a reader downloads only the script they read) routinely cuts font bytes by half to three-quarters. Variable fonts consolidate weight/style variants into one file — usually a further net win where you use more than two weights. The result is a font payload that caches forever, weighs a fraction of the default, and depends on nobody's infrastructure but yours.

The font loading rules

Delivery solved, loading discipline decides what users see. Three rules cover it: font-display: swap (or optional where brand tolerance allows) so text renders immediately in a fallback instead of blanking; preload only the one or two critical fonts the first paint needs (<link rel="preload" as="font" crossorigin>) — preloading the whole family steals bandwidth from the critical path it was meant to help; and modern fallback matching (size-adjust/metric overrides on the fallback face) so the swap doesn't reflow the page, which is what turns font loading from a layout-shift source into a non-event. The crossorigin attribute on font preloads is the classic silent mistake — fonts fetch in CORS mode, and a preload without it downloads the file twice.

Cache partitioning ended the shared-CDN myth

The old argument for loading fonts and libraries from public CDNs — "the user already has it cached from another site" — is dead: browsers partition their HTTP caches by top-level site, so a font cached for site A is never reused on site B, and has been for years in every major engine. What remains of the public-CDN pattern is its costs: an extra DNS+TLS connection to a third-party host on your critical path, availability coupling to infrastructure you don't control, and a privacy/compliance surface (font-host request logs) that several European regulators have already treated as a real issue. The conclusion is uniform: self-host fonts and the JS libraries you'd have pulled from public CDNs, on your own hostname, under your own versioning — the public utility CDNs (the jsDelivr/cdnjs tier) remain excellent for prototypes and open-source distribution, but production estates gain nothing and risk plenty by keeping them on the render path.

Third-party scripts: bring them under policy

The remaining third-party tail — analytics, tags, widgets, chat — can't all be eliminated, but it can be brought under policy. Order of preference: eliminate (the annual audit always finds tags nobody owns); proxy and cache where terms allow — serving the vendor's script from your own hostname with a short TTL puts it under your caching, compression and availability instead of theirs (respect the vendor's update cadence: a daily-updated tag proxied with a week TTL is a stale-tag incident); isolate what remains — async/defer everything, load below-the-fold widgets on interaction or via facades (the embedded-video placeholder pattern), and let a tag manager gate marketing additions through review rather than direct injection. The test each survivor must pass: if this third-party host is slow or down, does our page still render and function? Anything that fails is on the critical path by accident, and moving it off is the fix.

The audit: find the unmanaged tail

Close with measurement, because this class regrows. Quarterly, from a real page-load profile (browser devtools or your synthetic tooling): list every third-party hostname on your key pages, bytes and blocking time per host, and cache headers as actually served. Findings sort into the actions above — un-subsetted fonts, a library still loading from a public CDN, a render-blocking tag someone added in March, a proxied script whose upstream changed its caching. Two numbers make the trend visible on the same dashboard as your hit-ratio review: total third-party bytes on the critical path, and count of third-party hosts contacted before first render — both should only go down. The overlooked wins are overlooked precisely because no team owns them; the audit, owned by whoever owns performance, is what makes them yours.

Get the free assessmentMore analysis