Open DevTools on most small business websites and you'll find a dependency tree that would make a procurement officer flinch. Google Fonts loaded from fonts.googleapis.com. jQuery from cdnjs. A Facebook pixel, a Google Analytics tag, a Hotjar recorder, maybe a TikTok pixel someone added six months ago and forgot about. Every one of those is a third-party server your site calls on every single page load.
When any of those servers go down, your site degrades. When they're slow, your Core Web Vitals suffer. When they change their privacy terms, your compliance posture shifts overnight. And most site owners have no idea how many external dependencies they're carrying.
The three risks nobody talks about
Performance. Every external origin requires a DNS lookup, a TCP connection, and a TLS handshake before a single byte transfers. Google Fonts alone adds two extra origins (fonts.googleapis.com for the CSS, fonts.gstatic.com for the font files). Multiply that by the jQuery CDN, your analytics stack, and whatever marketing pixel someone pasted into the tag manager, and you've got six or seven extra round trips before the page even starts rendering.
Privacy. Each external request leaks your visitor's IP address, their user agent, their referrer, and often their cookies to a third party. The tracking scripts are obvious offenders, but even Google Fonts sends a full request with every page view. Under GDPR, that's personal data leaving the EU for US servers, and courts in Germany and Austria have already ruled that Google Fonts loaded from Google's CDN violates the regulation without explicit consent.
Reliability. In July 2019, Cloudflare had a 27-minute global outage that took down sites relying on their CDN. In October 2021, a Facebook DNS misconfiguration brought down every site loading the Facebook SDK, pixel, or login button. These outages are rare but when they hit, they hit every site that depends on that provider simultaneously.
What self-hosting actually looks like
The fix is straightforward for most dependencies:
For Google Fonts, download the WOFF2 files using google-webfonts-helper, drop them in a /fonts/ directory, and write a local @font-face rule with font-display: swap. Total effort: 10 minutes. You eliminate two external origins and cut 200-400ms off your LCP on first visit.
For CDN-hosted libraries like jQuery or Bootstrap, install them via npm and serve from your own /js/vendor/ or /css/ path. You lose the theoretical cross-site caching benefit (which Chrome killed in 2020 by partitioning the cache by top-level domain anyway), but you gain full control over versioning and availability.
For analytics, consider whether you actually look at the data. Most small businesses have Google Analytics installed and never check it. If you do need analytics, Plausible and Fathom are privacy-friendly alternatives that work without cookies and don't require a consent banner. If you want to keep GA4, at least load it after the page renders so it doesn't block your critical path.
For tracking pixels, audit whether each one is still connected to an active campaign. Facebook pixels installed for a one-time ad campaign in 2023 are still leaking visitor data to Meta on every page load in 2026. Remove what you're not using.
What the Remote Dependency Audit checks
The Remote Dependency Audit fetches your page through a proxy, parses every <link>, <script>, <style>, and <img> tag, and identifies every resource loaded from an origin that isn't yours. If you enable deep-scan mode, it also fetches your external stylesheets and finds nested @import and @font-face declarations that load from yet more third-party servers.
Each dependency gets categorized by type (font, script, stylesheet, tracking, image) and risk level (high for tracking scripts that leak visitor data, medium for CDN libraries that create availability dependencies, low for preconnect hints). The tool generates a copy-ready AI fix prompt that walks through exactly how to self-host or remove each finding.
It pairs well with the Subresource Integrity Audit for scripts you choose to keep on CDNs, and the Third-Party Script Cost tool for understanding the performance impact of each dependency.
Fact-check notes and sources
- Google Fonts GDPR ruling: Austrian Data Protection Authority (DSB), decision of December 22, 2021; Landgericht München I, case 3 O 17493/20, January 2022.
- Chrome cache partitioning shipped in Chrome 86 (October 2020), eliminating cross-site CDN caching benefits. Source: Chromium blog, "Gaining security and privacy by partitioning the cache".
- Cloudflare outage: July 2, 2019, 27-minute global outage due to regex CPU spike. Source: Cloudflare incident report.
- Facebook/Meta DNS outage: October 4, 2021, ~6 hours. Source: Meta engineering blog post-incident report.
Related reading
- Why the SRI audit exists — protecting scripts you keep on CDNs
- External dependency cost and performance — how third-party scripts affect your funnel
- AI posture consistency — controlling what crawlers see when third parties inject tags
- The $97 Launch — building sites that run lean from day one
This post is informational, not SEO-consulting or legal advice. Mentions of Google, Cloudflare, Facebook/Meta, and other third parties are nominative fair use. No affiliation is implied.
