How can I prevent web fonts from being downloaded and used illegally?

Question

I have a project where I am using an embedded font using @font-face in CSS. Everything is working fine but the site owner wants to encrypt the font so that no one can use it other than when viewed on the site.

How can that be setup? I have the font on the server, it's embedded using @font-face in CSS, but somehow I have to restrict the access to it.

Using a font hosting company is not an option, it has to be something that can be run locally on the server.

Answer 1

If using a font hosting company is not an option, then you have to do all the work that the font hosting companies do yourself. This means securely delivering the font from your servers to the browser, making sure that the font file only contains enough information to allow the browser to render the type, preventing the end-user from downloading the font itself and using it locally, and obfuscating the font itself.

First up, make sure you have a license to use the font on the web. If you haven't got that, you're screwed.

After that, you'll want to ensure that your fonts are subsetted, so that they only include the characters your website needs to display. Then, you'll need to make sure that your fonts are obfuscated in such a way that the font is unusable on the desktop. Font Squirrel's @font-face generator can do both this and the previous step. Make sure you use the "Expert" mode to create your font kit, use their WebOnly™ protection and subset your font to include the characters.

Font Squirrel will also convert the fonts into EOT, OTF and WOFF files that will help your fonts to be used in the vast majority of modern browsers.

Finally, you should ensure that your web server is configured to prevent hot linking to the font files themselves, preventing them from being requested from anywhere except your site.

Once you've taken those steps, you're about as far along as you can be. You'll want to make sure your font files are cacheable, but you'll need to strike a balance between cache performance and potentially storing files on the browser's cache for a long time. That's an exercise left to the reader.

It's important to remember that even after you take all these steps, it is possible for people to download the altered font files and use them on the desktop with relative ease. You can't prevent people from downloading the fonts and using them illegally in 100% of cases, but by taking these steps, you're further along the road to making sure you've done everything you can.