Long load times of password protected site

Hi everyone,

We recently started hosting a password protected site on Netlify and are experiencing extremely long load times for our main.js bundle. The project itself is an Angular 7 frontend with ~50 components that produces a minified main.js bundle of 1.3MB (see attached screenshot).

Loading this main.js bundle takes usually in excess of 12 seconds to load on an otherwise fast internet connection. Also note that we are located in Germany and get low traffic on our website due to its password protected nature and mostly internal usage.

My questions are, if this is related to the CDN and can we therefore not do anything about it on our side or is there some configuration that we need to make for bundles of this size? Also any other ideas on how to speed up this load time are greatly appreciated!

In case it helps, here’s also a screenshot of one of the requests that take this long with x-nf-request-id: dd87d7c3-f676-4706-b787-efbd863d0fcf-4006

It is expected that a site protected with Basic Auth or site-wide password will always be slow to load. They do not use our CDN in the normal way as our servers in San Francisco, USA, must authenticate EVERY request. The performant protection (at the CDN edge) is JWT’s: https://www.netlify.com/docs/visitor-access-control/#role-based-access-controls-with-jwt-tokens

However, that delay should be more like hundreds of milliseconds or maybe 1-2 seconds in normal circumstances.

I don’t know what happened with that long load, though our server logs agree that it took over 12s to send, which is extremely atypical (far above the 99.9th percentile for non-proxy’d requests on our CDN). The logging we have didn’t really give me any answers. It wasn’t in cache on the node at the time, which means we had to fetch it, so that would have double the number of requests to our origin servers, but even that would only explain a few seconds.

What I can ask is that if you can reproduce (I can’t - it takes about a second to load for me but I am also half the world away from the IP I found in our logs for that request), you collect a HAR file for us so we can examine the whole site load to try to understand?


Hi @fool thanks for the reply! How can I send you the HAR file privately? It contains somewhat sensitive information so I’d rather not do it publicly on this platform. For us this load time is consistently this long and I don’t remember ever seeing it load any faster. Can you make a rough estimate of how long the load time would be under normal circumstances but without going the JWT route?

I’d deploy a second copy of the site with the password off at a non-guessable hostname to test load speed if I were you. You can delete it right afterwards…

I did get your HAR file but won’t be able to look at it til Monday, sorry!

1 Like

Hi @fool, any updates on this?

Hi @t.lutzeyer,

I can see that was a cache miss and the request hit our Germany node, which had to then do the password verification at our origin in San Francisco. You can take the file down. This is expected behavior when doing site-wide passwords. The only way to test real performance would be to remove the password or as fool suggested, upload it to an alternate site where you don’t share the URL and do your tests there.