I'm wondering if there are industry standard security measures for protecting self-hosted web fonts?
I've designed the font myself, and would like to use it on my website without someone having the ability to pirate it. From what I've read even the biggest web font providers cannot completely prevent font piracy, so I'm hoping to make it as bullet-proof as possible.
0
Comments
@Lars Schwarz could you point me to a well-explained tutorial covering font obfuscation and properly configuring CDN?
Lastly, I've purchased web fonts with rights for self-hosting and they involved configuring an .htaccess file. Does anyone recommend that method and can provide a tutorial for setup?
Thanks!
If someone wants to download it they can download it, no matter what you do against it. Subsetting is always a good idea (to optimize load times) but other than that, I wouldn’t spend a single minute on any of the techniques.
I have came across some sites that have very good protection preventing a user ripping a webfont.
Site examples:
http://www.filipmatejicek.info/
There’s situations where this is warranted and useful, but not very often.
Another site I suggest just for type testing
http://www.aisforapple.fr/fonts/david
In case I am mistaken, I would be very curious about what this setup achieves and how.
My guess is this (and any other method of obfuscation) mostly provides headaches to paying clients.
It hinders cross-domain font usage and (somewhat) makes downloading them harder because it restricts access to local referrers. But again, the people who download them from websites can do so anyway, and everyone else can just go to Google and get them from there.
"For font loads, user agents must use the potentially CORS-enabled fetch method defined by the [HTML5] specification for URL's defined within @font-face rules. When fetching, user agents must use "Anonymous" mode, set the referrer source to the stylesheet's URL and set the origin to the URL of the containing document.
"The implications of this for authors are that fonts will typically not be loaded cross-origin unless authors specifically takes steps to permit cross-origin loads. Sites can explicitly allow cross-site loading of font data using the
Access-Control-Allow-Origin
HTTP header."http://www.w3.org/TR/css-fonts-3/#font-fetching-requirements