CRAiD
maja 6. Mai 2026

Using Google Fonts Safely

CRAiD Quick Guide · Compliance & Web

Using Google Fonts Safely – Quick Guide

For organizations with elevated compliance requirements (GDPR, BSI Baseline Protection, NIS2, NATO supplier status, VS-NfD environment).

The Problem in One Sentence

Embedding Google Fonts via fonts.googleapis.com transmits visitors' IP address, user agent, and referrer to Google in the USA – unlawful under GDPR (Munich Regional Court, January 2022) and incompatible with data-egress restrictions in security-critical industries.

The Solution in One Sentence

Self-host the fonts – the Open Font License permits it, the external request is eliminated, and performance usually even improves.

5-Step Guide

1. Obtain the fonts

Use google-webfonts-helper – more convenient than fonts.google.com directly, because the tool generates ready-to-use @font-face snippets.

  • Pick the font (e.g. Inter, Roboto)
  • Select charset: latin is usually enough; add latin-ext for German/European content
  • Tick only the weights you actually use – every extra file costs load time
  • Choose Modern Browsers (woff2) as the format
  • Download the ZIP

2. Place the files

Create a folder in your project, e.g.:

/assets/fonts/inter/
  inter-v13-latin-regular.woff2
  inter-v13-latin-500.woff2
  inter-v13-latin-700.woff2

3. Embed via CSS

Paste the snippet generated by gwfh and adjust the paths:

@font-face {
  font-family: 'Inter';
  font-style: normal;
  font-weight: 400;
  font-display: swap;
  src: url('/assets/fonts/inter/inter-v13-latin-regular.woff2') format('woff2');
}

font-display: swap ensures text is visible immediately while the font is loading.

4. Remove every Google reference

Commonly overlooked spots to check:

  • <link href="https://fonts.googleapis.com/..."> in HTML
  • @import url('https://fonts.googleapis.com/...') in CSS files
  • Tailwind configs, Bootstrap themes, WordPress themes (often load Google Fonts by default)
  • Third-party widgets, embedded iframes, tracking pixels
  • Browser DevTools → Network tab → filter for font and google: must show zero hits on fonts.googleapis.com or fonts.gstatic.com

5. Enforce via Content Security Policy

Make the rule technically binding – both an audit artifact and protection against accidentally reintroduced Google requests:

Content-Security-Policy: font-src 'self'; style-src 'self'

The browser will then block any external font load attempt, even if a plugin or theme silently re-references Google.

Audit Quick-Check

  • Network tab shows no requests to googleapis.com or gstatic.com
  • CSP header font-src 'self' is active
  • Fonts are versioned in your own repository
  • License notice (OFL) is documented in the project
  • Records of processing activities no longer contain a Google Fonts entry

Bonus: Performance

Self-hosted fonts are usually faster than the CDN variant – a round trip to a foreign host, including DNS, TLS, and HTTP/2 connection setup, is avoided. With a preload hint for the most important font, you can further improve Largest Contentful Paint:

<link rel="preload" href="/assets/fonts/inter/inter-v13-latin-regular.woff2"
      as="font" type="font/woff2" crossorigin>

Bottom Line

Google Fonts may be used – just not delivered by Google. The fonts are freely licensed; the compliance risk is the third-party request, not the font itself.

Agentic Experience Consulting in the Era of AI © CRAiD GmbH 2026 Admin