Development

The cost of a slow website:
Why you lose sales
and security on Google

24 April 2026 Β· 6 min read Development

Google has been using Core Web Vitals as a ranking factor since 2021. But there is something few mention: technical improvements that raise the Lighthouse score also reduce your website's attack surface. It's no coincidence β€” performance best practices and security best practices overlap more than they appear.

What are Core Web Vitals?

They are three metrics Google uses to measure real user experience on a webpage. They have been part of the ranking algorithm since May 2021.

LCP
Largest Contentful Paint

Time until the page's main element is visible

Target: < 2.5s
FID / INP
Interaction to Next Paint

Response time to the user's first interaction

Target: < 200ms
CLS
Cumulative Layout Shift

Visual stability: does content move while loading?

Target: < 0.1

The connection between performance and security

This is the article's central point. Many optimizations that improve Core Web Vitals also strengthen security. They are not two separate projects β€” they are the same work.

Reduce third-party scripts
πŸš€ Performance

Less JavaScript = faster page. Every external script blocks rendering.

πŸ”’ Security

Every external script is a potential attack surface (supply chain attacks). Fewer dependencies = less risk.

Implement Content Security Policy (CSP)
πŸš€ Performance

Allows securely preloading critical resources using directives like preload.

πŸ”’ Security

Blocks the execution of unauthorized scripts. It is the main defense against XSS.

Serve resources from your own domain
πŸš€ Performance

Avoids additional DNS connections to external domains that add latency.

πŸ”’ Security

External resources can change without your knowledge. Serving them yourself keeps them under your control.

Use HTTPS with HSTS
πŸš€ Performance

HSTS eliminates the HTTP→HTTPS redirect on recurring visits, improving TTFB.

πŸ”’ Security

HSTS forces HTTPS always, even if the user types the URL without a protocol. Prevents downgrade attacks.

Compress and optimize images
πŸš€ Performance

Images are the biggest factor in LCP. WebP format and lazy loading drastically improve the score.

πŸ”’ Security

Images with EXIF metadata can leak info about the server or uploader. Processing cleans them.

Configure proper caching and HTTP headers
πŸš€ Performance

Correct Cache-Control makes static resources load from the browser, not the server.

πŸ”’ Security

Security headers (X-Content-Type-Options, X-Frame-Options) go in the exact same server configuration.

How to measure your Core Web Vitals right now

Want to improve speed and security at the same time?

In our web development projects, performance and security are integrated from day one β€” not tacked on at the end.

View web development β†’
Fast and secure web from day one

We build with performance and security integrated

They are not two separate projects. At Kodia, performance and security are part of the same development process.