Preventing access to fonts with .htaccess

My client ask me to use an especial font with @font-face on his website. But, that font is an asset to his organization, and he's afraid people would steal it. So, is there any way to make that .ttf file accesible by the browser, but prevent direct access (right now, you can read the url within the .css file, and download the font with any browser).

I know there's no absolute solution, and the font would still be available for someone with the right skills set. But I just want to make it harder to steal for the non-experts.

Any suggestions would be greatly appreciated! Thanks!

How I solved this?

Reading this. Typekit's team did a GREAT job on this one. It's really impossible to prevent the robery, but you can make it hard. I did two things:

1. With FontSquirrel Generator, I removed all the desktop glyphs, making the font unusable on a desktop.

2. Encode with Base64 all my TTF directly on my CSS file. (ie. src: url(data:font;base64,jdslajdsaljdlsajdsa))

3. EOT fonts, for IE, can't be converted to Base64. But, you can load those vía a php script that checks the referer, and preven开发者_开发问答t the direct access.

You still can reassemble the font having the base64, and yes, you can fake the referer and download the .EOT. But it would take someone with the right skills-set. People who steals fonts are regulary designer who doesn't know how to trick apache.

This is completely impossible.

Instead, consider using an image, or removing unused characters from the font.

If you let something to get to the browser then its public. AFAIK there is no way to block the stuff that you let browser read it!

Edit this bit of code and you can make image of text with font you want (it need GD library):

<?php
$image = imagecreatetruecolor(145, 30);// Image size
$color = imagecolorallocate($image, 163, 197, 82);// color
$bg = imagecolorallocate($image, 255, 255, 255); // background color white
imagecolortransparent($image, $bg);// Makes Background transparent!
imagefilledrectangle($image,0,0,399,99,$bg);
imagettftext($image, 25, 0, 25, 25, $color, "add/to/font.ttf", "text you can get from post or somewhere");
header("Content-type: image/png");
imagepng($image);
?>

Create a CGI script named .ttf. Add AddHandler cgi-script ttf to the Apache options for this directory (in httpd.conf or .htaccess).

Have the CGI script check the Referer field (yes, it's spelled incorrectly like that in the spec) and compare it against the address you expect it to be coming from. If it is, open the font file and write it (prepended by a couple of HTTP headers, of course). If not, redirect somewhere else.

I never checked the Referer field, but I did something sort of similar with PDFs a long time ago.

Note: if I wanted to get the font, this would only slow me down a little. But it would slow most people down a lot. I recommend making an image file with your text and putting it in your website.

Render the text on the server.

Heard of Cufon? http://cufon.shoqolate.com/generate/

or typekit: http://typekit.com/

or SFIR: http://wiki.novemberborn.net/sifr/

I hope these help you with your research.