What is the best .htaccess code for preventing users from downloading web fonts

Over on StackOverFlow   there is a thread on preventing users from downloading webfonts or hot linking web fonts.  Some guy somewhere else said to use a .htaccess file with

Order allow,deny
Deny from all

which is of course duh... wrong because it will not deliver the font at all. Here is another so-called solution.

SetEnvIfNoCase Referer "^https?://([^/]*)?example\.com/" local_ref=1
SetEnvIf Referer ^$ local_ref=1

<FilesMatch "\.(eot|svg|ttf|woff)$">
  Order Allow,Deny
  Allow from env=local_ref

But this does not work for me either...if I use the above... the fonts are not sent by apache.
Who is Participating?
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(otf|ttf|oet)$ - [NC,F,L]

Open in new window

In that final line add any other file extenions that you need to protect.  That will allow only requests from pages on your domain.  If you need to allow access for another domain. then repeat line 3 with the name of the domain you want to grant access to.  You can add as many domains as you need to.
SivakatirswamiAuthor Commented:
Yay! it works. Thanks Cobol

Fonts delivered here:


but you can't get in here:


SivakatirswamiAuthor Commented:
[shameless EE advocacy} Lots of other places on the web for getting solutions, but, frankly, not always the what could be considered best practices, or accurate. EE's experts always deliver.
Yah, that works for just about anything.  Mostly it is used to keep leeches from hot linking to images instead of hosting them on there own server.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.