Posted by Ryan Pascoe
25 May, 2018

Why analytics tools, booking widgets and embeds could all pose a risk to your website’s performance and security.

We work hard to ensure that the websites we build provide the best possible user experience. However, it's not our own code we have to keep in check: often, we’re asked to add third-party scripts to our sites, such as analytics, marketing tools, booking widgets and embeds. These scripts may be crucial to your business but they come with many risks.


Ever viewed a page that looks like it's loaded but doesn't respond to taps, clicks or scrolling for several infuriating seconds? It's incredibly frustrating and sure to turn your users away.

So what causes this? Well, bloated, poorly optimised JavaScript is the likely culprit. When JavaScript executes it blocks any other interactions (like taps, clicks and scrolling) from happening until it has finished. When it’s done, it finally responds – at which point the already frustrated user is overwhelmed by a flurry of time-lapse activity.

The impact is even greater on mobile devices where computing power is limited, compounded by slow network speeds. According to research by Google, 53% of mobile users leave a site if it takes more than three seconds to load.


Many third-party scripts still only provide a non-secure HTTP version, which is problematic if your site is using HTTPS. When a site using HTTPS requests a non-HTTPS URL, one of two things will happen: either the browser will block the request, preventing the script from functioning, or it will mark the page as non-secure.

Third-party scripts are often hosted on the party’s own server, and then requested by your site. Code can therefore be changed without notice and run on your site. This unfortunately makes them a target for hackers – if they can compromise the security of a third-party script, they then have the ability to carry out malicious activity on potentially millions of sites.

This can include:

  • Defacing your site.
  • Redirecting the user to a site posing as your own.
  • Hijacking the user’s device to mine crypto currencies.
  • Collecting personal information such as credit card numbers entered into a form.

This all sounds scary, but it goes without saying that you only want to be running code you can trust – and only on pages without sensitive information.

Computer user in shadow

Data collection and privacy

Another consideration is GDPR compliance and user privacy. The majority of scripts will be collecting data about the user in one way or another, either for your usage or purely for the third-party’s benefit. So it’s worth checking their GDPR practices and privacy policies beforehand to make sure your site remains compliant, and then updating your own privacy policy if you need to.


While we make sure our sites are accessible, not all third parties do when developing booking widgets such as booking engines. This is extremely important for things like availability calendars, as inaccessibility can leave your users unable to make bookings.

Tag managers

Services like Google Tag Manager give anyone with sufficient access the ability to add third-party scripts to your website without involving a developer. This can become problematic as the user(s) adding them may not be aware of the impact their changes can have.

What we do

We will only include code from trusted third parties, and only once it has been tested, which means we may occasionally reject a script or strongly advise against placing it on your site.

If you ask us to add a tag manager, we usually disable the ability for other parties to publish new code to the website. In the case of Google Tag Manager, other users can still view and make changes but will need to contact us to publish the changes. This means we can review all changes before they are published to ensure they don’t have a detrimental impact on your website’s performance.

What you can do

Share this page with marketing managers or anyone within your organisation who will be responsible for the day-to-day management of the website and liaising with Nixon.

Check with us before committing to a new marketing tool, booking engine or similar add-on, as it may require a third-party script to be placed on your website. It's important that we can evaluate the script’s impact ahead of time, as this protects you from signing up to a service only to find out it can't be implemented because it has an unacceptable impact on your website.

If in doubt – even if a third-party tool seems to be all singing, all dancing – it’s always a good idea to ask our opinion. We’re familiar with a wide range of third-party scripts and will always give honest advice with your brand in mind.