Security Considerations for PageSpeed
Any change to a website has the possibility of introducing new security holes. Pagespeed is not an exception to this rule. This document covers specific security concerns to keep in mind when using PageSpeed.
Caution: Do not reference untrusted content on your website. If you do store user content or other untrusted content, keep it on a separate cookie-less domain and do NOT tell PageSpeed to rewrite from that domain to your main cookied domain.
PageSpeed rewrites and, effectively, proxies resources referenced in the main HTML document. It respects public caching headers, so if a resource is not explicitly marked public cacheable, PageSpeed will not rewrite nor re-serve it. However, PageSpeed will re-serve resources which ARE publicly cacheable. If you serve private content as publicly cacheable, PageSpeed will proxy it to any who requests a specific URL. Note that any public proxy in the Internet can do the same thing.
Caution: Explicitly mark private content as not publicly cacheable.