Font protection

[ausblick]

Hi

I have a customer who plans to use the font they purchased in ProcessWire. They want to protect the font, but still display it (woff2, variable font).
How do you solve this font protection issue, or what ideas do you have for this scenario? 

[markus-th]

A 100% protection is impossible in a browser environment, what a browser can show has to be local.

But you can make it less easy to "steal" the files with preventing direct access and hotlinking to font files

<FilesMatch "\.(woff|woff2)$">
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]
    RewriteRule .* - [F]
</FilesMatch>

The most effective way to protect a font is to make it "incomplete" for anyone who steals it. By using the fonttools library (specifically pyftsubset), you can strip away all characters that aren't needed for your specific site. There is a little benefit too, the filesize shrinks 😉

[ausblick]

many thanks @markus-th

[ausblick]

I have following idea to protect a font.
Normally everyone could download that font from assets/fonts. Even an .htaccess could protect that access from outside as @markus-th mentioned above, but not sideloading of the font by accessing it via the webpage, where the font is loaded (if you really want to!). So I have the idea of building something like a route: the font files are not located in a public folder such as assets/fonts/, but in a folder called fonts-private/ outside the root – which is not directly accessible from outside. A route intercepts all requests to /fonts/filename.woff2 and first checks whether the request comes from your own domain. Only then is the file delivered. Anyone who calls up the font URL directly or wants to embed it from another page will receive a 403 error. How to achieve this in ProcessWire.