1

From 11th June it looks like an API key will be required on the Javascript V3 API.

This is a great change but actually causes a problem that I cannot see a workaround to.

Many sites we work on, we create an API key and then set some HTTP referrer restrictions as recommended by Google. Again this is fine and works great for 99% of our customers.

We have a customer though that has some IOT devices with an embedded web server on board. One of the pages includes a Google Map to display some content about the local area and some sensor data it is picking up locally. At the moment they are using the keyless access to enable this to work.

The trouble comes though when a key gets added. It cannot be restricted to an HTTP referrer at all as these devices could have a seemingly unlimited combination of hostnames and/or IP addresses that the users access these devices on. For it to work no HTTP referrers could be set. However...! This leaves that API key open to abuse.

Are there any solutions for this kind of deployment that is not open to abuse or is there a way of hiding the API key?

Jim Dyson
  • 19
  • 3
  • 1
    Possible duplicate of [What steps should I take to protect my Google Maps API Key?](https://stackoverflow.com/questions/1364858/what-steps-should-i-take-to-protect-my-google-maps-api-key) –  May 04 '18 at 11:03
  • Thanks @JohnM but I was hoping someone might have an answer now that we've been forced to use a key. I was also hoping someone might have a solution for my client's keyless current access. – Jim Dyson May 04 '18 at 11:51
  • It's a bit strange as it looks like they havent supported keyless access since october 2016? https://developers.google.com/maps/pricing-and-plans/standard-plan-2016-update –  May 04 '18 at 12:14
  • 1
    Correct, agreed this has been in the making but it still doesn't offer a secure solution to using Google Maps now in that situation. Their support site says to put a question on SO that hopefully someone will pick up, perhaps I am being too hopeful! – Jim Dyson May 04 '18 at 12:38
  • Is there any pattern for window.location.href value in this application? Is it really unlimited combination of hostnames? One thing that you can try is restrict API key to Maps JavaScript API only and if window.location.href has any pattern use it in HTTP referrer restriction. – xomena May 04 '18 at 14:04
  • Yes there is. These devices get plugged into networks that there is no control over so generally are accessed by http:// – Jim Dyson May 05 '18 at 09:33

0 Answers0