When we analyze website performance bottlenecks, one often-overlooked factor is how cookies affect static resource loading. Every HTTP request that includes cookies means:
- Extra headers being transmitted (typically 200-1000+ bytes per request)
- Unnecessary server-side processing for cookie validation
- Reduced cache efficiency for static assets
Consider this typical request flow for an image:
GET /images/logo.png HTTP/1.1
Host: www.example.com
Cookie: sessionid=abc123; user_prefs=darkmode
The cookie data is completely useless for serving logo.png, yet it's sent anyway. Multiply this by dozens of static resources, and the overhead becomes significant.
Here's how to set up a cookie-free domain in Nginx:
server {
listen 80;
server_name static.example.com;
location / {
root /var/www/static;
expires 1y;
add_header Cache-Control "public";
# Explicitly disable cookies
proxy_set_header Cookie "";
}
}
For AWS CloudFront:
// CloudFront Behavior Settings
{
"Forward Cookies": "None",
"Query String Forwarding": "None",
"Viewer Protocol Policy": "Redirect HTTP to HTTPS",
"Allowed HTTP Methods": ["GET", "HEAD"],
"Cache Based on Selected Request Headers": "None"
}
Use this curl command to test:
curl -I https://static.example.com/image.jpg
Look for missing Set-Cookie headers and verify caching headers.
Watch out for:
- Accidentally setting cookies via JavaScript on static domains
- Relative URLs that might inherit the main domain's cookies
- Third-party scripts that may inject their own cookies
For maximum performance, combine cookie-free domains with:
- Domain sharding (carefully, considering HTTP/2 implications)
- Subresource integrity for security
- Preload headers for critical assets
When browsers request resources from your domain, they automatically attach all relevant cookies to each HTTP request. This becomes problematic for static assets like images, CSS, and JavaScript files that don't need any cookie information. The unnecessary cookie data in each request:
- Increases bandwidth usage (typically 300-1000 bytes per request)
- Slows down page load times
- Reduces caching efficiency
A cookie-free domain is a separate domain (often a subdomain) specifically configured to serve static content without cookies. Here's the technical implementation:
# Nginx configuration example for cookie-free subdomain
server {
listen 80;
server_name static.yourdomain.com;
location / {
root /var/www/static;
expires 1y;
add_header Cache-Control "public";
# Ensure no cookies are set
add_header Set-Cookie "";
}
}
For maximum performance, consider these patterns:
// HTML implementation
<img src="//static.example.com/images/logo.png" alt="Logo">
// JavaScript implementation
const staticBase = 'https://static.example.com/';
const loadAsset = (path) => {
return fetch(staticBase + path).then(/*...*/);
};
When setting up your cookie-free domain:
- Use a CNAME record pointing to your main domain (static.example.com CNAME example.com)
- Configure your CDN to not forward cookies for this domain
- Test with browser dev tools to verify no cookies are transmitted
In a typical web page with:
- 50 static requests
- Average cookie size of 500 bytes
Using a cookie-free domain saves ~25KB of unnecessary data transfer per page load. For high-traffic sites, this can translate to significant bandwidth savings and faster page loads.
Avoid these pitfalls:
// Wrong: Still using relative paths that might inherit cookies
<img src="/images/logo.png" alt="Logo">
// Wrong: Setting cookies on the static domain
Set-Cookie: session=abc123; Domain=.example.com
For maximum optimization:
// Using multiple static domains for parallel downloads
<img src="//static1.example.com/image1.jpg">
<img src="//static2.example.com/image2.jpg">
// Webpack configuration example for asset paths
output: {
publicPath: 'https://static.example.com/assets/'
}