openastronomy.github.io
openastronomy.github.io copied to clipboard
OpenAstronomy
Optimizations and Security
This PR improves site performance and security by optimizing assets and implementing best practices:
Fixes https://github.com/OpenAstronomy/openastronomy.github.io/issues/251
Optimized Asset Loading:
- Minified
bootstrap.css,bootstrap-responsive.css, andswc.css, reducing their total size. - This helps reduce page load times, improves performance, and decreases bandwidth usage for users.
Deferred JavaScript parsing:
- Some JavaScript files were blocking the initial page load.
- Deferred scripts so that they load only after the HTML is parsed, improving First Contentful Paint (FCP) and page responsiveness.
Implemented Content Security Policy (CSP):
- Added CSP headers in
_config.ymlto restrict resource loading and mitigate security risks (e.g., XSS attacks). - This ensures that scripts and styles only load from trusted sources, improving security.
Enabled Caching for Faster Page Loads:
- Integrated
jekyll-include-cache, which caches expensive Liquid includes (like navigation and footers). - This reduces Jekyll’s build time and speeds up page rendering.
Improved Accessibility:
- Added a
langattribute to the HTML root (<html lang="en">), which helps screen readers and improves SEO.
The ideas page seems to not be loading for me, https://output.circle-artifacts.com/output/job/6dd88010-b230-4639-a0aa-107fa0977d28/artifacts/0/html/gsoc/gsoc2025/index.html
Thanks for your contributions, some suggestions below.
- I'd prefer independent changes on independent PRs.
- I don't like the CSS being minified when it has already departed from sass, making it harder to modify them in the future.
- can you explain the security dangers of a static site like this one?
- does the cache plugin works on GH pages?
It's a good practice to create an issue before contributing with a PR, so that we can discuss the need or the approach of these issues. In this case an issue was already created, writing there before with your approach is appreciated.
Thanks for your contributions, some suggestions below.
- I'd prefer independent changes on independent PRs.
- I don't like the CSS being minified when it has already departed from sass, making it harder to modify them in the future.
- can you explain the security dangers of a static site like this one?
- does the cache plugin works on GH pages?
It's a good practice to create an issue before contributing with a PR, so that we can discuss the need or the approach of these issues. In this case an issue was already created, writing there before with your approach is appreciated.
Thanks for the feedback! I appreciate the detailed review and will make the necessary changes.
-
I understand your concern about maintainability. Since the project has moved away from Sass, keeping the CSS readable is important.
-
While static sites are generally more secure than dynamic ones, they can still be vulnerable to:
- XSS (Cross-Site Scripting): If user-generated content is included (even indirectly), an attacker could inject scripts.
- Content Injection: If an attacker compromises dependencies (e.g., external scripts), they could modify content.
- Clickjacking: If the site is embedded in an iframe, users might interact with unintended UI elements. The CSP implementation was aimed at reducing these risks by enforcing strict loading rules.
-
Does jekyll-include-cache Work on GitHub Pages?
- GitHub Pages has limited support for plugins, and jekyll-include-cache is not included in the supported list. Creating an Issue Before a PR
In the future, I'll first open an issue to discuss the approach before submitting a PR. Thanks for pointing this out!
Thanks for the PR @PraneyaKumar, I will close this for now and if you want to pick it up again. Please do feel free to do so.