LoadForge LogoLoadForge
Log inSign up

10 Common Performance Bottlenecks (and How to Fix Them)

Explore ProductBook a Demo
10 Common Performance Bottlenecks (and How to Fix Them)

Your application works beautifully in development. One user, one request, instant response. Then you deploy to production, traffic grows, and suddenly pages take eight seconds to load, API calls time out, and your database is pinned at 100% CPU. Something is bottlenecking your system, but what?

A bottleneck is the single constraint that limits the overall throughput of your system. Like a traffic jam caused by one lane merging on a highway, everything upstream stacks up behind it. The tricky part is that bottlenecks rarely announce themselves -- they hide behind averaged metrics, only emerging when concurrent load forces the weakest link to reveal itself. That is precisely why load testing is the most reliable way to find them.

This guide covers the ten most common performance bottlenecks in web applications, how each one manifests under load, and proven strategies to fix them.

How to Spot a Bottleneck

Before diving into specific bottlenecks, it helps to understand the general diagnostic approach.

A bottleneck shows itself through a characteristic pattern: as you increase concurrent users, performance degrades disproportionately. If your system handled 100 users at 200ms response time and 200 users at 400ms, that is roughly linear scaling -- not ideal, but predictable. If 200 users pushes response times to 3 seconds, something is saturated.

The tools for identifying bottlenecks fall into two categories:

  • Load testing tools (like LoadForge) show you the external symptoms: response time curves, throughput plateaus, error rate spikes. They tell you that a bottleneck exists and roughly when it appears.
  • Application Performance Monitoring (APM) tools show you the internal cause: which function, query, or service call is consuming the time. They tell you where the bottleneck is.

The most effective approach combines both: run a load test to reproduce the bottleneck, then examine APM data captured during the test to pinpoint the root cause.

1. Unoptimized Database Queries

This is the single most common bottleneck in web applications, and it is responsible for more performance incidents than everything else on this list combined.

How it appears under load: Response times increase steadily as more users are added. Database CPU climbs toward 100% while application server CPU remains low. Specific endpoints that involve complex data retrieval are dramatically slower than simple ones.

Common causes:

  • N+1 queries: Fetching a list of items, then executing a separate query for each item's related data. At 10 items this is barely noticeable. At 1,000 items with 50 concurrent users, it means 50,000 queries per page load.
  • Missing indexes: A query that filters or sorts on a column without an index triggers a full table scan -- reading every row in the table. On a table with millions of rows, this can take seconds per query.
  • Inefficient joins: Joining large tables without proper indexing on the join columns, or joining more tables than necessary.
  • **SELECT ***: Fetching all columns when only two or three are needed wastes I/O, memory, and network bandwidth.

How to fix it:

  • Enable query logging and identify the slowest queries during a load test. Most databases provide a slow query log for exactly this purpose.
  • Add indexes on columns used in WHERE clauses, JOIN conditions, and ORDER BY. Verify the query plan actually uses the index with EXPLAIN or EXPLAIN ANALYZE.
  • Replace N+1 patterns with eager loading (JOIN or IN queries that batch related data in a single round trip).
  • Use query profiling tools: pg_stat_statements for PostgreSQL, the slow query log for MySQL, or your ORM's query debugging mode.

2. Database Connection Pool Exhaustion

Every database connection consumes memory on both the application and database servers. Most applications use a connection pool -- a fixed set of reusable connections -- to avoid the overhead of establishing a new connection for every request. When every connection in the pool is in use, new requests must wait.

How it appears under load: The application handles a moderate number of users comfortably, then hits a sharp cliff. Response times suddenly spike from hundreds of milliseconds to seconds or even minutes. Error rates jump simultaneously. The database itself may not even be under heavy CPU load -- the problem is that requests are queuing for a connection before the query even executes.

Common causes:

  • Pool size is too small for the number of concurrent requests
  • Long-running queries hold connections for extended periods, preventing other requests from using them
  • Transactions left open accidentally (a code path that starts a transaction but does not commit or roll back on all exit paths)
  • Connection leaks: connections checked out of the pool but never returned, often due to exception handling that skips the cleanup code

How to fix it:

  • Tune pool size: A common starting point is 2-3 connections per CPU core on the database server. Monitor pool utilization during load tests to find the right balance.
  • Use an external connection pooler: Tools like PgBouncer (for PostgreSQL) or ProxySQL (for MySQL) sit between your application and database, managing connections more efficiently than most application-level pools.
  • Optimize query duration: Faster queries release connections sooner, effectively increasing pool capacity without adding connections.
  • Set connection timeouts: Configure a maximum wait time for acquiring a connection. It is better to fail fast with a clear error than to queue indefinitely and time out much later.
  • Audit transaction management: Ensure every code path that opens a transaction closes it, including error handling branches.

3. Missing or Misconfigured Caching

When every request results in a database query, your database becomes the bottleneck for every page and endpoint, even when the data rarely changes.

How it appears under load: Database load increases linearly with the number of users. Query logs show the same queries executed repeatedly with identical results. Pages that display mostly static content (navigation, footer, configuration) are surprisingly slow.

Common causes:

  • No caching layer at all -- every request hits the database directly
  • Cache exists but is not used for the highest-traffic queries
  • Cache TTL is too short, causing excessive cache misses
  • Cache invalidation is broken, so the cache is never populated or is cleared too aggressively
  • Static assets served directly from the application server without HTTP caching headers or a CDN

How to fix it:

  • Add an in-memory cache: Redis or Memcached for frequently accessed data. Cache database query results, computed values, and session data.
  • Implement HTTP caching headers: Set Cache-Control, ETag, and Last-Modified headers on responses that can be cached by browsers and CDNs.
  • Use a CDN for static assets: Offload images, CSS, JavaScript, and other static files to a Content Delivery Network. This eliminates static asset requests from ever reaching your application server.
  • Cache at multiple levels: Browser cache for per-user data, CDN cache for public assets, application cache for database results, and database query cache for repeated queries.
  • Monitor cache hit rates: A cache with a 50% hit rate is barely helping. Aim for 90% or higher on your most-trafficked data.

4. Synchronous Processing of Heavy Tasks

Sending a confirmation email, generating a PDF invoice, resizing an uploaded image, or calling a third-party API -- these operations can take hundreds of milliseconds to several seconds each. When they execute synchronously within the request-response cycle, the user waits for all of them to finish.

How it appears under load: Specific endpoints are dramatically slower than others. The slow endpoints correlate with operations that involve I/O to external systems or CPU-intensive processing. Under load, these endpoints bottleneck available worker threads or processes, causing even unrelated fast endpoints to slow down because there are no workers available to serve them.

Common causes:

  • Email sending in the request handler (SMTP connections can take 1-5 seconds)
  • PDF or image generation blocking the response
  • Synchronous calls to third-party APIs (payment processing, geocoding, enrichment services)
  • Data export or report generation triggered by an API call

How to fix it:

  • Move heavy work to a background job queue: Use Celery (Python), Sidekiq (Ruby), Bull (Node.js), or your framework's equivalent. The request handler enqueues the job and returns immediately. The user gets a fast response, and the work happens asynchronously.
  • Return a job ID and let clients poll: For operations where the user needs the result (like a report), return a 202 Accepted with a job ID, and provide a status endpoint they can poll or a webhook that fires on completion.
  • Set timeouts on external calls: If you must call an external service synchronously, set aggressive timeouts so a slow third party does not hold your worker hostage.

5. Memory Leaks

A memory leak occurs when your application allocates memory but never releases it. The process's memory usage grows over time, eventually consuming all available RAM and triggering an out-of-memory (OOM) kill or severe garbage collection pressure that freezes the application.

How it appears under load: This bottleneck is unique because it does not appear in short load tests. A 5-minute test might look perfectly healthy. A soak test -- running moderate load for hours -- reveals the problem as memory usage climbs steadily, response times gradually degrade, and eventually the process crashes or is killed by the operating system.

Common causes:

  • Objects stored in global collections that grow indefinitely (event listeners, caches without eviction, in-memory logs)
  • Closures capturing references to large objects, preventing garbage collection
  • Circular references in languages with reference-counting garbage collectors
  • Connection objects or file handles opened but never closed

How to fix it:

  • Run soak tests regularly: This is the primary defense. A soak test running normal traffic for 4 to 8 hours will reveal memory leaks that shorter tests miss.
  • Profile memory usage: Use language-specific profiling tools -- tracemalloc in Python, Chrome DevTools for Node.js, VisualVM for Java -- to identify which objects are accumulating.
  • Implement bounded caches: Any in-memory cache must have a maximum size and an eviction policy (LRU, TTL, or both).
  • Audit resource cleanup: Ensure database connections, file handles, HTTP clients, and other resources are properly closed in all code paths, including error handlers.

6. Single-Threaded Bottlenecks

Many modern runtimes and frameworks have single-threaded execution models or constraints that limit how much CPU work can happen concurrently.

How it appears under load: CPU usage on the application server maxes out at approximately 100% on a single core while other cores remain idle. Adding more users increases response times but does not increase CPU usage beyond that one-core ceiling. Throughput plateaus at a level well below what the hardware should support.

Common causes:

  • Node.js event loop blocking: CPU-intensive operations (JSON parsing large payloads, image processing, complex calculations) block the single event loop thread, preventing all other requests from being processed.
  • Python GIL: The Global Interpreter Lock in CPython means only one thread executes Python bytecode at a time, regardless of how many threads are created.
  • Single worker process: Running a web server with a single worker, so all requests are serialized through one process.

How to fix it:

  • Use multiple worker processes: Run your application with multiple workers -- one per CPU core is a common starting point. Gunicorn (Python), Cluster mode (Node.js), and Puma (Ruby) all support this.
  • Offload CPU-intensive work: Move heavy computation to worker threads (Node.js worker_threads), separate processes, or background job queues.
  • Use async I/O: Ensure I/O-bound operations (database queries, HTTP calls, file reads) use non-blocking, asynchronous patterns so the main thread is not blocked waiting for I/O to complete.
  • Consider language-level solutions: For Python, use multiprocessing instead of threading for CPU-bound work, or consider PyPy or writing performance-critical sections in C extensions.

7. Network Latency to External Services

Modern applications rarely operate in isolation. They call payment gateways, email providers, geolocation services, analytics APIs, and other microservices. Each external call adds latency to your request path.

How it appears under load: Specific user flows that involve external service calls are significantly slower than purely internal operations. Latency on these flows may be inconsistent -- sometimes fast, sometimes very slow -- because you are subject to the external service's own performance characteristics. Under high concurrency, these calls can exhaust your HTTP client's connection pool, causing requests to queue.

Common causes:

  • Synchronous, blocking calls to external APIs in the request path
  • No connection pooling for outbound HTTP requests (creating a new TCP connection and TLS handshake for every call)
  • No timeout configured, so a slow or unresponsive external service holds your worker indefinitely
  • External service rate limits that throttle your calls under load

How to fix it:

  • Use connection pooling for outbound HTTP: Reuse TCP connections to external services instead of opening a new one per request. Most HTTP client libraries support this with keep-alive connections.
  • Cache external responses: If the external data does not change frequently, cache it. A payment gateway's list of supported currencies does not need to be fetched on every request.
  • Implement circuit breakers: A circuit breaker detects when an external service is failing and stops sending requests to it temporarily, falling back to a cached response or a graceful degradation path. This prevents a failing dependency from taking down your entire application.
  • Set timeouts on all external calls: Every outbound HTTP call should have a connect timeout and a read timeout. Two to five seconds is a reasonable default for most services.

8. Inefficient Serialization

Serializing data -- converting objects to JSON, XML, or other wire formats -- is often overlooked as a performance concern. But when responses are large or serialization is complex, it can consume significant CPU and bandwidth.

How it appears under load: Application CPU is high, but database and external service latency is normal. Profiling reveals that a disproportionate amount of time is spent in serialization code. Response sizes are large (hundreds of kilobytes or megabytes). Network bandwidth between the application and clients or between microservices is saturated.

Common causes:

  • Returning entire database objects with all fields when the client only needs a few
  • Deeply nested object graphs that require recursive serialization
  • Large collections returned without pagination
  • No response compression (sending raw JSON when gzip would reduce size by 80%)

How to fix it:

  • Paginate collections: Never return unbounded lists. Implement cursor-based or offset-based pagination and default to reasonable page sizes.
  • Use sparse fieldsets: Allow clients to request only the fields they need (like GraphQL's field selection or JSON:API sparse fieldsets). Serialize only those fields.
  • Enable response compression: Configure your web server or application to compress responses with gzip or Brotli. Most clients support it, and the CPU cost of compression is usually far less than the bandwidth savings.
  • Flatten deeply nested structures: Consider whether deeply nested response structures are necessary, or whether a flatter response with references (IDs) would be more efficient.

9. Disk I/O Bottlenecks

Disk operations are orders of magnitude slower than memory operations. When your application performs heavy disk I/O -- writing logs, reading configuration files, creating temporary files, or using disk-backed sessions -- it can become the limiting factor under concurrent load.

How it appears under load: High I/O wait on the server (visible in tools like top, iostat, or vmstat). CPU usage may appear moderate, but processes spend a large percentage of their time waiting for disk operations to complete. Performance degrades specifically on endpoints that involve file operations, and concurrent writes to the same disk cause contention.

Common causes:

  • Synchronous, verbose logging to disk on every request
  • Session storage backed by local disk files instead of memory
  • Temporary file creation for processing (image manipulation, PDF generation, data import)
  • Log rotation or cleanup running during high-traffic periods

How to fix it:

  • Use async or buffered logging: Write logs to a buffer and flush periodically rather than on every line. Better yet, ship logs to a centralized logging service over the network.
  • Move session storage to memory: Use Redis or Memcached for session data instead of filesystem-backed sessions.
  • Use memory-backed temporary storage: Mount /tmp as a tmpfs filesystem so temporary file operations happen in RAM.
  • Batch disk writes: If you must write to disk, batch multiple operations together to reduce the number of individual I/O system calls.
  • Use SSDs: If your workload is genuinely I/O-bound and cannot be moved to memory, switching from spinning disks to SSDs provides an order-of-magnitude improvement in random I/O performance.

10. DNS and TLS Overhead

Every new connection to an external service requires a DNS lookup (resolving the hostname to an IP address) and a TLS handshake (establishing an encrypted connection). These steps add tens to hundreds of milliseconds per connection, and they are repeated every time a new connection is established.

How it appears under load: High Time to First Byte (TTFB) on initial requests that drops significantly on subsequent requests to the same service. Connection setup time dominates request latency for short-lived connections. Under high concurrency with many new connections being established, the aggregate DNS and TLS overhead becomes significant.

Common causes:

  • No DNS caching, so every outbound connection triggers a DNS resolution
  • Short HTTP connection keep-alive timeouts that cause frequent reconnection
  • TLS session resumption not enabled, requiring a full handshake on every connection
  • Many concurrent connections to different hosts, each requiring separate DNS and TLS setup

How to fix it:

  • Enable DNS caching: Use a local DNS resolver (like dnsmasq or systemd-resolved) or configure your application's HTTP client to cache DNS results.
  • Use HTTP connection keep-alive: Configure your HTTP clients to keep connections open and reuse them for multiple requests. This amortizes the DNS and TLS cost across many requests.
  • Enable TLS session resumption: Configure your servers and clients to support TLS session tickets or session IDs, which allow subsequent connections to skip the full handshake.
  • Use connection pooling: This is related to the keep-alive point above. Connection pools maintain a set of established, ready-to-use connections to frequently contacted services.

How Load Testing Reveals Bottlenecks

Different load testing patterns expose different categories of bottlenecks. Choosing the right pattern for the problem you suspect is the key to efficient diagnosis.

Load PatternWhat It RevealsExample
Ramp-up testConnection limits, pool exhaustion, scaling ceilingsGradually increase from 10 to 500 users over 15 minutes
Steady-state testThroughput limits, CPU bottlenecks, serialization overheadHold 200 users for 30 minutes
Soak testMemory leaks, connection leaks, disk space exhaustionHold 100 users for 4-8 hours
Spike testAuto-scaling gaps, cold start penalties, queue depth limitsJump from 50 to 1,000 users in 30 seconds
Stress testBreaking points, failure modes, error handling under pressureIncrease load until the system fails

The most effective approach is to combine patterns. Start with a ramp-up test to find the general capacity ceiling, then run a soak test at moderate load to find time-dependent issues, and finally run a spike test to validate your system's behavior under sudden traffic changes.

LoadForge supports all of these patterns and lets you configure custom load shapes to match your specific scenarios. Pairing LoadForge results with your application's monitoring dashboards gives you both the external performance data and the internal system metrics needed to diagnose any bottleneck on this list.

Conclusion

Performance bottlenecks are not mysterious. They follow predictable patterns, they have known symptoms, and they have proven fixes. The challenge is not knowing what to do -- it is finding the bottleneck in the first place. That is where load testing earns its keep. A well-designed load test does not just tell you that your application is slow; it tells you when it gets slow, under what conditions, and gives you the data to figure out why.

If you are new to load testing and want to understand the fundamentals, start with what is load testing. Once you have your first test results, our guide on how to read a load test report will help you interpret the data and connect the metrics to the bottlenecks described in this article.

Try LoadForge free for 7 days

Set up your first load test in under 2 minutes. No commitment.

Start Free Trial