Webdev Performance Privacy
3 min read

Self-host your fonts

Three reasons every site should self-host fonts in 2026, and why @fontsource makes it a one-liner.

Self-host your fonts
Author
Isaac Bythewood Isaac Bythewood
2026-05-03

I self-host my analytics, my status page, and this blog. It would be strange, then, to outsource the fonts to Google. They are the most-loaded asset on every page.

The original pitch for Google Fonts went: someone else's CDN, free, and the file is probably already cached because every other site loads the same URL. That third argument was the killer feature. It hasn't been true since 2020.

Chrome 86 partitioned the HTTP cache in October 2020 to defeat XS-Leak attacks. Firefox and Safari did the same. Two sites loading the same fonts.gstatic.com/...woff2 URL no longer share a cache entry; they are keyed by top-level site. Your visitors download the font fresh, just like they would from your own server. The shared-cache argument has been dead for over five years, and the numbers back it up.

The privacy argument is worse. The Munich Regional Court ruled in January 2022 that embedding Google Fonts on a public site illegally transfers the visitor's IP address to Google in the United States, and awarded the plaintiff €100 in damages. The court explicitly noted that self-hosting is trivial, so there is no legitimate reason not to do it. A wave of warning letters followed across Germany. Mileage will vary by jurisdiction, but the precedent exists, and "Google's CDN was convenient" is not a defence.

Then there are the bugs you don't know you have. Google silently updates fonts in place. When Inter 4.0 shipped, the slanted italic became a true italic overnight. Every site pointing at the CDN got a redesign for free, with no diff and no notice. Subset behaviour is its own quiet horror: the unicode-range CSS the API serves silently omits characters depending on which subset the browser asks for, like Fira Code's box-drawing glyphs and certain general punctuation. Renders fine locally, mojibake in production.

The fix is a one-liner. @fontsource packages 1500+ open-source fonts as npm modules:

The woff2 files end up in your own static directory, behind your own cache headers, version-locked to your package.json. No third-party DNS lookup. No TLS handshake to a host you don't control. No IP address leaking to Mountain View. No surprise redesigns when someone else commits.

If self-hosting fonts breaks your site, you have a deploy problem, not a font problem. Fix that first, then put one less third party between you and your readers.

Related posts

Some posts in similar tags to this one.

Webdev Ai
Cool URIs don't change, unless an AI rewrites your blog
Cool URIs don't change, unless an AI rewrites your blog
A short post-mortem on letting an AI port my blog from Django to Flask, and the URL design mistake it cheerfully shipped along the way.
Isaac Bythewood Isaac Bythewood
2026-04-29
Webdev Coding
Using Vite with Django in 2026
Using Vite with Django in 2026
I ran webpack on every Django project I had for years. In 2026 it's Vite, no wrapper package needed. Here's the whole setup.
Isaac Bythewood Isaac Bythewood
2026-04-26
Webdev Databases
Optimizing SQLite for Django in production
Optimizing SQLite for Django in production
The default SQLite settings in Django are fine for development but will hit "database is locked" errors under any concurrency. Here's the config I use in production.
Isaac Bythewood Isaac Bythewood
2026-04-18
© 2026 Isaac Bythewood