What is Font Bakery and how do I use it?

Font Bakery is an open-source Python tool that runs 200+ quality checks on font files. Install with pip: pip install fontbakery. Run checks: fontbakery check-universal myfont.ttf. It tests for issues like missing tables, invalid metrics, hinting problems, and naming table consistency. Google Fonts requires passing Font Bakery checks for submissions.

What is OpenType Sanitizer (OTS)?

OTS is Google's security-focused font validator used by Chrome and other browsers. It parses and validates fonts before rendering to prevent malformed fonts from exploiting browser vulnerabilities. If OTS rejects your font, browsers won't render it. Test with: ots-sanitize myfont.woff2. OTS errors must be fixed for web fonts to work.

What are the most common font validation errors?

Common errors: Invalid table checksums, glyph outlines with incorrect direction (counter-clockwise should be clockwise), missing required tables (cmap, head, hhea, hmtx, maxp, name, OS/2, post), name table encoding issues, metrics inconsistencies between tables, and overlapping points in outlines. Most can be fixed with FontForge or fontTools.

How do I fix 'bad cmap table' errors?

cmap errors usually mean: missing required subtables (platform 3 encoding 1 for Windows), duplicate mappings, or Unicode values out of valid range. Fix by rebuilding the cmap in FontForge: Element > Font Info > Lookups > Remove bad entries, then regenerate. Alternatively, use fontTools to programmatically fix the cmap table structure.

Should I run validation after font conversion?

Yes, always validate after conversion. Conversion tools can introduce errors: incorrect checksums, missing tables, metric recalculations that create inconsistencies, or outline conversion artifacts. Run both OTS (for browser compatibility) and Font Bakery (for comprehensive quality) after any conversion before deploying web fonts.

Font Validation: Testing Quality & Integrity

Learn to validate fonts using Font Bakery and OpenType Sanitizer. Catch errors before deployment and ensure cross-browser compatibility.

Key Takeaways

• OTS validation is critical—browsers reject fonts that fail OTS
• Font Bakery runs 200+ quality checks (Google Fonts requirement)
• Always validate after conversion before deployment
• Common errors are usually easy to fix with font tools

In this article

Font validation ensures your fonts are structurally correct and will render properly across all platforms. This is especially important after conversion—tools can introduce errors that cause fonts to fail in browsers or render incorrectly.

OpenType Sanitizer (OTS)

OTS is Google's security-focused font validator. Chrome, Firefox, and other browsers use OTS to validate fonts before rendering. If OTS rejects your font, it won't display in browsers.

# Install OTS
# macOS
brew install ots

# Linux
sudo apt-get install opentype-sanitizer

# Run validation
ots-sanitize myfont.woff2

# Output examples:
# Success: "File sanitized successfully!"
# Failure: "ERROR: Bad checksum for head table"
# Failure: "ERROR: Table is too short"

Critical Importance

OTS failures mean your web font will not work in browsers. Period. Always test with OTS before deploying web fonts. This is the minimum validation requirement.

What OTS Validates

OTS performs structural validation focused on security—it ensures fonts cannot be used as attack vectors in browsers. Its checks include:

Table boundaries

Verifies no table data extends beyond declared length, preventing buffer over-reads

Checksums

Validates per-table checksums stored in the table directory against calculated values

Required tables

Confirms all 8 mandatory OpenType tables are present and correctly structured

Version fields

Ensures table versions match known valid values (rejects unknown future versions)

OTS deliberately rejects fonts with any structural anomaly, even harmless ones. A font that passes OTS will load in Chrome, Firefox, and Edge. OTS does not check typographic quality—that's Font Bakery's job.

OTS was designed as a browser security sandbox because malformed fonts could trigger memory corruption vulnerabilities in OS-level font rasterizers. Windows GDI and macOS Core Text both accumulated CVEs related to font parsing in the late 2000s, allowing attackers to execute arbitrary code through carefully crafted web fonts. OTS prevents this by reconstructing a sanitized font from scratch rather than passing raw bytes to the OS parser—every table is independently parsed, validated against the spec, and re-serialized into a clean output. This conservative approach means even structurally unusual but technically valid fonts may be rejected if they trigger OTS's strict parsing assumptions.

OTS failures are binary: pass or fail, with no warnings or partial outcomes. When a font fails OTS, the browser silently falls back to the next font in the CSS font stack, with no visible error message for end users. The problem only reveals itself to developers who check the browser console, notice unexpected fallback font rendering, or examine network requests showing a 200 response that produces no font. This silent failure mode is why pre-deployment OTS testing is non-negotiable. The command-line ots-sanitize tool replicates the browser check locally and can be integrated into build pipelines as a required gate before any font deployment.

Font Bakery

Font Bakery is an open-source Python tool that runs 200+ quality checks. It's required for Google Fonts submissions and recommended for all professional font work.

# Install Font Bakery
pip install fontbakery

# Run universal checks (all fonts)
fontbakery check-universal myfont.ttf

# Run Google Fonts profile (stricter)
fontbakery check-googlefonts myfont.ttf

# Run specific checks
fontbakery check-outline myfont.ttf
fontbakery check-opentype myfont.ttf

# Output to HTML report
fontbakery check-universal myfont.ttf --html report.html

Check Categories

OpenType Spec

Table structure, required tables, checksums

Metrics

Consistent values across OS/2, hhea, head

Outlines

Curve direction, overlaps, extreme points

Naming

Name table consistency, copyright format

Reading Font Bakery Output

Font Bakery reports results at four severity levels: FAIL (must fix), WARN (should fix), INFO (informational), and PASS. A clean Google Fonts submission requires zero FAILs and minimal WARNs. Understanding the output format helps prioritize fixes:

$ fontbakery check-googlefonts MyFont-Regular.ttf

>> com.google.fonts/check/name/family_name_compliance
   [FAIL] Name ID 1 should not contain "Regular" substring.
   MyFont Regular → should be: MyFont

>> com.google.fonts/check/metrics_winascent_and_windesced
   [WARN] OS/2 usWinAscent value 1200 is too large.
   Recommended: match your tallest glyph height (900)

>> com.google.fonts/check/glyf_non_symmetric_glyphs
   [PASS] All glyphs have symmetric y-coordinates.

>> com.google.fonts/check/ligature_carets
   [INFO] Font has ligatures but no caret positions defined.
   This is optional but recommended for cursor positioning.

Results: 1 FAIL, 1 WARN, 1 INFO, 1 PASS

FAILs like the naming example are typically quick fixes in a font editor or via fontTools. WARNs about metrics require more care—changing usWinAscent affects line spacing in Windows applications and browsers. Always test changes across platforms before resubmitting.

CI/CD Integration

Font Bakery integrates with GitHub Actions for automated validation. Add it as a pre-release check: fontbakery check-googlefonts fonts/*.ttf --ghmarkdown report.md. The --ghmarkdown flag generates a GitHub-formatted report that appears directly in your PR. For non-Google fonts, use check-universal instead.

Font Bakery organizes its checks into profiles. The universal profile covers checks applicable to any font regardless of distribution channel: OpenType specification compliance, name table correctness, outline quality, and metric consistency. The Google Fonts profile adds requirements specific to the library, including copyright string formatting, required name IDs, minimum Unicode character coverage across the Basic Latin and Latin-1 Supplement blocks, and vertical metrics standards that ensure consistent line spacing in the Google Fonts serving infrastructure. Foundries distributing through other channels typically run only the universal profile to avoid false positives from Google Fonts's opinionated conventions that do not apply universally.

Font Bakery's extensible architecture supports custom check plugins written as Python modules, allowing foundries to encode house-style rules and distribution requirements as executable validation logic alongside the standard checks. Check IDs follow a hierarchical naming scheme: com.google.fonts/check/metrics_winascent_and_windesced identifies namespace, category, and subject. Results are exported as structured JSON, enabling integration with monitoring dashboards and trend tracking across font releases. A mature font development pipeline will accumulate a custom check profile over time that catches the specific classes of errors that historically caused problems for that foundry's fonts on their target platforms.

Common Validation Errors

Error	Cause	Fix
Bad table checksum	Font was modified after generation without recalculating checksums	`font['head'].checkSumAdjustment = 0` then regenerate via fontTools
Wrong contour direction	Outer contours counter-clockwise (should be clockwise for TrueType)	FontForge: Element → Correct Direction. fontTools: `reverseContour()`
Missing required table	Conversion tool stripped tables; corrupt source file	Use ttx to dump XML, identify missing table, rebuild or use better converter
Glyph bounds violation	Glyph outline extends beyond declared bounding box in head table	`fonttools.ttLib.recalc_bounds()` or FontForge: Element → Auto Bounds
Duplicate glyph names	Two glyphs share the same name in the post table, confusing renderers	Rename duplicates; use post table version 2.0 with glyph name array
Invalid cmap subtable	Missing Platform 3, Encoding 1 subtable (Windows Unicode BMP)	Add Format 4 subtable for platform 3, encoding 1 using fontTools
Overlapping contours	Glyph contains self-intersecting or overlapping contours	FontForge: Element → Remove Overlap. Required for hinting tools to work correctly

Validate Your Fonts

Our tools validate fonts automatically during conversion.

Try Font Converter

Written by

Sarah Mitchell

Product Designer, Font Specialist

Verified by

Marcus Rodriguez

Lead Developer

Font Validation FAQs

Common questions about Font Bakery and OTS validation