Risks Of Hosting Scripts With 3rd Parties

Many websites use JavaScript, CSS and Fonts hosted on external sites, but few seem to understand the great risks that come with this practice.

We see it all the time, you sign-up to a service that asks you to update your website's code and add a snippet that points to an externally hosted JavaScript file used for tracking, marketing or other purposes. The most common example being the script required to make Google Analytics work on your website.

Website owners and developers need to understand the business risk of doing this, specifically:

1- You have no control over any changes, which means no guaranty that the code will remain the same. How does this impact you? If the 3rd party host decides to make a change, your website might break.

2- Arbitrary code can be executed without you knowing. If the host gets compromised, your website visitors are at risk.

3- You might disclose or leak sensitive information about your visitors to 3rd parties, which essentially undermines their right to privacy.

Why host externally?

Speed and simplicity tend to be the reason why developers use externally hosted files. But with the proliferation of content delivery networks like Cloudflare, speed should no longer be an issue for anyone.

Where to host?

We recommend hosting as much as possible locally. If your website fails for some reason, you have bigger problems to focus on. But if a script fails, your entire site might be unusable or deliver a sub-optimal experience to your visitors.

Conclusion

The choice of where to host is entirely up to the developer and web designer, but we generally recommend perfection over speed.

The Open Web Application Security Project (OWASP) has some further guidance that you might want to consider reading here.

Whatever you decide to do, we recommend planning for the worse and hoping for the best.