@kra I mean that, instead of replacing a part of the woff font as this action is prone to error and the font can be "repaired" (thus allowing decryption), the web page could start in this state: @font-face { font-family:'encrypt_sans'; src:url('encrypted_fonts/this_is_where_to_put_the_password.woff') format('woff2'); } with instruction to replace "this_is_where_to_put_the_password" by the actual password (which is the name of the font). Listing of directory "/encrypted_fonts/" being denied, obviously 😉