Preventing download of web fonts?

Göran SöderströmGöran Söderström Posts: 117
edited June 2012 in Technique and Theory
Is there some secure standard way today of preventing people to download self-hosted web fonts? I need to write some guide that goes with our web fonts.

I know that it’s possible to block hot linking, but I’m also looking for a way to prevent download.


  • RalfRalf Posts: 170
    The hot-linking prevention IS also the download-prevention. If you setup a positive REFERRER check, then it will return "false" when it comes from a different domain or from a direct download attempt.

    The Web FontFont manual has an example:

    But to be honest: Don’t do it. There is no such thing as webfont protection. If the user sees the font on the website, he already has downloaded it. Using .woff/eot is enough garden-fence protection.
    REFERRER checks can never work properly, because there is not even a guarantee that the REFERRER value is even sent. A user can just turn it off and then he will not see webfonts. Not good!
  • James PuckettJames Puckett Posts: 1,785
    There is no such thing as webfont protection.
    Agreed. Some type vendors have or will expend lots of resources on protection schemes involving obfuscation, encryption, multiple fonts, etc.. And once web fonts really catch on some bored kid will write a shell script that plows through it all and returns the same complete font the browser gets.
  • I know that none of these are actually protections. Yet I think most people won't download illegally if it's not easy. So making it a little difficult is a wise move, IMHO.

    For your reference, TypeKit explains how they do this, but they seem to have gone a little too far.

    BTW, @opentype, I didn't know that serving only WOFF and EOT can help here. I'm surprised that converting WOFF to TTF is a hard job.
  • PabloImpallariPabloImpallari Posts: 544
    edited June 2012
    There is no possible way to protect web-fonts.
    You can only make it "more difficult" but not impossible.

    Communities who used to extract fonts from pdfs (pdf-x) are now grabbing fonts from the web (wf-x). They are also combining both extraction techniques: Using the pdf extractions (to get the complete char-set) and the webfonts extractions (to get the kerning, classes and OT features).

    Even the new unreleased HFJ webfonts are already floating around.

  • The best we can do is to provide an easy way for people to do it legally. People will always try to do it illegally, but if the system is easy, people are more likely to do it nicely.

    For example, I think Typotheque make it really easy, and really affordable. I think that’s the way forward. iTunes got me to pay for music, so I suppose there is something to be said about that.
Sign In or Register to comment.