Hotlink protection for web fonts

Many web font licenses require that the fonts files are hosted with some basic protections against direct downloads and the use on other websites (hotlink protection).

Example from

Moreover, the web server must be configured in such a way that the web fonts cannot be easily downloaded via the input of a URL in the browser or a wget command. This is known as hotlink protection. In addition, you must ensure that the fonts cannot be linked by third party web pages.

I haven’t found a way in the Netlify documentation to e.g. restrict the access of a certain path such as fonts/* to requests with a HTTP header Referer:*, which is what would be necessary to comply with these requirements.

Is there a way to add hotlink protection for certain routes or file types, short of routing all font requests through Netlify Functions?

I don’t think there is, @msch - Functions would have been my suggestion.

If you proxy to another service that serves them through us (not using functions), you could set your remote server to verify a JWS that we set on your proxy redirect; see the signed= directive here: . This wouldn’t exactly be preventing people from downloading via netlify, but it could ENSURE that they downloaded via netlify, which seems to meet the letter of the rules there, but probably not the spirit.

Thanks for your input, @fool. If I understand your suggestion correctly, I’m not sure how that would meet the requirements. It would prevent direct access to the files through this other service, but the access through Netlify would not be restricted in any way.

The way I understand these rules is that it should be impossible to just copy the link in the HTML/CSS files and download the web fonts this way. It’s not a real protection, of course, but the font providers want to make people jump through a few hoops to download web fonts of other websites to make it clear that this is a transgression.

I’m curious of how other people have solved this for their Netlify-hosted sites, given that many commercial fonts have similar requirements. Is nobody using self-hosted commercial web fonts? Are people hosting their fonts outside Netlify (e.g. with Apache and appropriate .htaccess rules)? Or is everybody just ignoring the rules and hosting them on Netlify without protection?

Hey there, thanks for providing a tricky question to think about! We don’t have any more advice for you at present for this use case. I’m going to go ahead an move this question to our #topics:opentalk area which is more of a free form discussion space so others can weigh in if they have additional ideas for you :+1:

1 Like