2

Lets pick an earlier version of the Google Maps API: You had to suffix your API key to the JavaScript Maps API, this key could just be copied with view source and used by someone else.

Where is the trick here? What am I missing?

I'm not up to Google Maps itself.

timmkrause
  • 3,367
  • 4
  • 32
  • 59
  • possible duplicate of [How does Google Maps secure their API Key? How to make something similar?](http://stackoverflow.com/questions/2256305/how-does-google-maps-secure-their-api-key-how-to-make-something-similar) – enguerran Oct 31 '13 at 15:47

2 Answers2

4

That API Key is specific to a URL and can only be used at that URL.

Brant
  • 1,764
  • 11
  • 18
  • How do they know the URL? The client asks for the JS file. – timmkrause Jun 29 '12 at 19:33
  • When you apply to Google for the specific API key for your site, it asks what URL will be utilizing this Maps API + Key pair. The site developer requests this, not the site's end-users. – Brant Jun 29 '12 at 19:58
  • 2
    I mean the html document is send to the clients browser and the client requests the maps api with the configured api key. So they can't check if the request comes from the supplied url. You said the key only works with the specified url. – timmkrause Jun 29 '12 at 20:03
1

You should check old answers before creating new ones! :) This subject has been asked several times like in here: How does Google Maps secure their API Key? How to make something similar? .

The answer is: In order for request to be allowed the registered url for that API key should match with the HTTP referer header of the incoming request.

Community
  • 1
  • 1
dreyercito
  • 64
  • 2