Every Front-End Anti-Copy Trick, Ranked by How Fast It Breaks
Copy protection on the web is a cost-benefit negotiation, not a technical lock. Understanding exactly where each defense fails prevents teams from over-engineering solutions that degrade accessibility and SEO while still being trivial for a motivated scraper to bypass.
CSS user-select and disabled context menus stop only the least technical visitors; opening DevTools and deleting a rule or toggling a browser setting defeats them in seconds. JavaScript copy-event interception and transparent overlays add a trivial extra step—registering a capture-phase listener or removing a DOM node. The more pragmatic approach, used by Zhihu and The New York Times, allows copying but silently appends a source attribution to the clipboard, trading absolute prevention for provenance tracking.
Canvas rendering and custom-font glyph shuffling represent the hardest tier. Canvas leaves no text in the DOM, killing SEO and accessibility, while font obfuscation maps typed characters to unrelated glyphs so pasted output is gibberish. Both still fall to OCR or font-table analysis, just with higher effort.
An interactive attack-defense simulator lets readers stack protections and choose an attacker profile—from casual user to professional scraper—to see simulated bypass times. The consistent result: every defense is breakable; the only variable is how much friction it adds relative to the value of the content.
The taxonomy from CSS to font obfuscation maps directly to attacker sophistication, making it a practical threat-modeling exercise rather than a security checklist.
Clipboard attribution is a category error in the anti-copy discussion—it solves a business problem (provenance) while the other techniques attempt a technical one (prevention) that is unsolvable.
Font obfuscation's per-user, per-chapter mapping variation is the closest the web gets to a DRM-like scheme, yet it still collapses against a determined adversary with OCR.