With all of the daily developments in the webfont discussion, the security of font files is a bit sidelined. For foundries, companies, and designers, the security of a font can have legal, competitive, and moral ramifications (which I won't cover here). A web-specific font format, like WOFF, may appear to offer consolation to foundries but relying on browser implementation of any feature is historically dire. I say watch your own ass(ets). I propose a server-side lock and key: Simple PHP Font securitY (SPiFY).

The basic, insecure @font-face has CSS specify a font file with its name and address out there in the naked. Any user with a little know-how can simply type in the address and download the font. I set out to put a chastity belt on it, giving the key only to it’s suitor: my trusted CSS. When a stranger tries to access the font nothing is downloaded, only a message shows up instead; let’s say license info or where to buy the font.

Note: I have removed the code as understanding how it works makes it vulnerable. You may download the files and try it yourself!

This isn’t foolproof but it is fun. I should just stress that you need to check the EULA of your commercial fonts or negotiate with the foundry, and present clients with the pros/cons of this solution.

There are plenty of other issues that accompany the use of @font-face. Compression is a biggy, and that’s something WOFF will help with.

Good resources for other issues:

• Paul Irish: Prevent FOUT (Flash Of Unstyled Text) and Quicken the load time
• Paul Irish: Employing Custom Fonts Now! [update from comments]
• Typekit: Serving and Protecting Fonts on the Web [other techniques]