This document discusses timing attacks against web applications. It begins by referencing a previous conference presentation on timing attacks and front-end performance vulnerabilities. It then demonstrates how subtle differences in response times can reveal privileged information, like whether a username is valid. The document advocates adding random delays to responses to mitigate these timing attack vectors. It provides several examples of timing attacks in practice and potential mitigation techniques to obscure timing patterns and prevent secret information leakage.