Implementing Access Control Domain Restrictions for Web Fonts

As stated in the IDAutomation License Agreement, the use of IDAutomation Web Fonts such as WOFF fonts on a publicly accessible website must be limited to the intended domain(s) by enabling domain restrictions within the publicly accessible fonts or web server. IDAutomation does not directly support the implementation of domain limitations; they are supported by the organizations that provide the associated web servers or by the organizations that make the font specifications. However, the implementation examples below may be used for testing in your environment.

Webserver Limitation Methods:

Webserver Implementation Example
Apache Add the following to the htaccess file in the folder where the font files reside on the webserver and change "" to the appropriate domain:
<FilesMatch "\.(ttf|otf|eot|woff)$">
  <IfModule mod_headers.c>
  Header set Access-Control-Allow-Origin ""

Within the @font-face declaration, provide the full absolute URL of the fonts. For example:

@font-face {
  font-family: IDAutomationHC39M;
  src: url(;

Additionally, multiple domains may be specified:

Access-Control-Allow-Origin ","
IIS Add the following to the web.config file in the folder where the font files reside on the webserver and change "" to the appropriate domain:

  1. Open Internet Information Service (IIS) Manager
  2. Right-click the site and choose Properties
  3. Change to the HTTP Headers tab
  4. In the Custom HTTP headers section, click Add
  5. Enter Access-Control-Allow-Origin as the header name
  6. Enter your domain, for example, as the header value
  7. Click Ok twice

IIS7 and Greater:

  1. Open Internet Information Service (IIS) Manager
  2. Under Sites, click on the domain where the fonts are located
  3. In the IIS section, open HTTP Response Headers
  4. In the Custom HTTP headers section, click Add
  5. Enter Access-Control-Allow-Origin as the header name
  6. Enter your domain, for example, as the header value
  7. Click Ok twice

This should add Access-Control-Allow-Origin to the customHeaders section of the web.config as in the example below:

       <add name="X-Frame-Options" value="SAMEORIGIN" />
       <add name="Access-Control-Allow-Origin" value="" />


Code Limitation Methods:

Code Type Implementation Example
Response.AppendHeader("Access-Control-Allow-Origin", "");

Font Limitation Methods:

Font Type Implementation Example
EOT The Microsoft Web Embedding Fonts Tool (WEFT) can be used to set access restrictions to domains. However, this app is no longer available for download from the Microsoft Typography Site.

Related Information