104

I have obtained a Google Maps API key for my domain.

The examples provided when I obtained my key show the key embedded in request parameters, for example:

<script src="http://maps.google.com/maps?file=api&amp;v=2&amp;sensor=true_or_false&amp;key=my-key" type="text/javascript"></script>

I appreciate that the referrer field in requests must match my domain, is it safe to make my key visible in script tags and the like? Or are there any other steps I should take?

skaffman
  • 398,947
  • 96
  • 818
  • 769
brabster
  • 42,504
  • 27
  • 146
  • 186

4 Answers4

106

Considering that key has to be included in the <script> tags of your HTML pages, to load the JS files/data from google's servers, there is nothing you can do :

  • you must put it in your HTML files
  • every one can take a look at those.

Still, it doesn't really matter : if anyone tries to use this key on another domain than yours, they will get a Javascript alert -- which is not nice for ther users.

So :

  • There is nothing you can do ; this is the way it works
  • And there is not much you should worry about, I'd say.
Pascal MARTIN
  • 395,085
  • 80
  • 655
  • 663
  • 6
    I think you could use a proxy on your own site that used the key to fetch the "real" file. Totally pointless, yes, but I think it's possible. – Tim Sylvester Sep 01 '09 at 22:07
  • 1
    Figured it was worth checking in case I'd missed something. Cheers to those who answered. – brabster Sep 01 '09 at 22:26
  • @Tim : not sure ; I'm guessing the JS code itself if whecking the domain name of the site that displays the map, and it would seem normal that it compared it, in some kind of way, with an information included in the key -- still, I did not try. ;;; @Brabster : :-) – Pascal MARTIN Sep 01 '09 at 22:50
  • ok what if if Boogeyman takes your key and uses it on a serverside application or just proxify the results from google using your key ? Doesn't that mean it consumes your quota ? Your resources may be consumed in a minute or even less isn't is ? – themihai Apr 17 '12 at 21:10
  • 3
    It is matter for example if we want to protect bandwith usage of our API key. Check my solution. – Ifan Iqbal Dec 28 '13 at 05:47
  • so why do they recommend to use a proxy to protect your key then? https://youtu.be/gm1PzasOk1o – axd Apr 20 '16 at 18:00
  • 3
    and what if I take the api key to use in my own APP (windows/ios/android)? i can simulate the referrer and use this key for my own purpose at your cost ! – zeus Aug 06 '18 at 06:39
27

There is setting on Google API console that can protect your API bandwith usage from being used by another domain/user. You can restrict and protect that by using referrer on the API console. API Key will reject requests without referrers that match your restrictions.

Here is screenshot from Google for API Key that can only be used by Google frowm its two domains. enter image description here

Ifan Iqbal
  • 3,053
  • 5
  • 28
  • 31
  • 3
    what about mobile users? – Muhammad Umer Oct 11 '18 at 23:51
  • To add a bit, details can be here https://developers.google.com/maps/api-key-best-practices#restrict_apikey – Learner Jul 04 '20 at 12:50
  • @MuhammadUmer There is a separate security setting on keys now to deal specifically with android apps. An app should use a different key, secured that way. Mobile browser users will function the same as desktop browser users in this case. See https://cloud.google.com/docs/authentication/api-keys – sirlark Dec 15 '20 at 09:26
  • How would you then enable it to work on localhost for testing? Would it just be a separate key that you don't commit to production? – fIwJlxSzApHEZIl Jun 21 '21 at 21:12
13

Though this question is a few years old it's a very good one. As I understand it exposing API keys, even if they are domain matched, could still lead to abuse. There's a post on Security Stack Exchange here that covers this in more detail.

The steps that you can take to avoid potential abuse have been published by Google here:

Best Practice Guide for securely using APIs: https://support.google.com/cloud/answer/6310037?hl=en

Though I would recommend taking all of it on board, there is an approach that would deal with the specific example that was posted by Brabster and that's to store the key in an environment variable. This way all you need to do is to substitute the key for a server-side variable that is stored within your project. However, be sure not to commit the file that stores the key to a public repository.

Community
  • 1
  • 1
rjbultitude
  • 935
  • 12
  • 13
  • 24
    I also feel that this answer doesn't address the question. The maps API requires browser-side javascript, which is always readable by anyone who fetches the page. – david van brink Nov 26 '17 at 17:48
-3

You should use back end/server side to protect and handle key. In my case I used Django f/w server side which can serve a ajax call to get the key from server script/db then pass it onto google api.

SKS
  • 11
  • 1