0

Currently, I'm trying hide my API key from displaying in the network tab of a browser. Here are a few of my GET request to HERE Map, as you can see my API key is exposed:

https://1.base.maps.ls.hereapi.com/maptile/2.1/info?xnlp=CL_JSMv3.1.30.4&apikey={API_KEY}&output=json
https://1.aerial.maps.ls.hereapi.com/maptile/2.1/info?xnlp=CL_JSMv3.1.30.4&apikey={API_KEY}&output=json
https://vector.hereapi.com/v2/vectortiles/info?xnlp=CL_JSMv3.1.30.4&apikey={API_KEY}
https://4.aerial.maps.ls.hereapi.com/maptile/2.1/maptile/eedb0b6253/hybrid.day/3/1/3/512/jpg?xnlp=CL_JSMv3.1.30.4&apikey={API_KEY}

I'm trying to implement a proxy server using Express, and I'm following this guide from HERE Map, and it is still passing the API key in which is being exposed in the browser: https://developer.here.com/documentation/maps/3.1.37.1/dev_guide/topics/custom-configurations.html

const domainConfig = {};
const getoptions = {
  apikey: '<API_KEY>'
};

// Vector Tile service
domainConfig[H.service.omv.Service.CONFIG_KEY] = {
  baseUrl: new H.service.Url(
    'https', 'custom.domain', 'v2/vectortiles/core/mc', getoptions
  ),
  subdomain: 'subdomain' // optional, if subdomain is not needed null must be passed
};

How would I go about implementing a proxy server when there are so many possible subdomains and hide the API key?

Maze Laurent
  • 1
  • Does this answer your question? [Make get request to third party API with api key using express.router();](https://stackoverflow.com/questions/57410131/make-get-request-to-third-party-api-with-api-key-using-express-router) – Heiko Theißen Mar 20 '23 at 14:44

1 Answers1

0

To restrict usage of API Keys, its best to utilize the Trusted Domain capability to limit usage to a specific set of domains. See details of this feature here: https://developer.here.com/documentation/identity-access-management/dev_guide/topics/plat-using-apikeys.html

Disclosure: I'm a product manager at HERE Technologies

David Kircheis
  • 89
  • 5