Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Do I need to hide API key when using google maps js API? If so, how?

Tags:

javascript

html

google-maps

google-maps-api-3

According to https://developers.google.com/maps/documentation/javascript/tutorial#HTML5 , it seems I can add the following tag to my html and start using maps js API.

<script async defer       src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap"> </script>

But this will reveal my API key.

After searching on google and browsing answers on stackoverflow, I feel that maybe there is no need to hide this API key. I just need to set the referer when I create the API key on google, as explained in https://stackoverflow.com/a/2256312/1316649

So, even others know my API key, they cannot use it from another domain. Am I right?

But google says you shouldn't embed API key in code: https://support.google.com/cloud/answer/6310037

So, do I need to hide API key when using google maps js API? If so, how?

Update: By 'API key', I meant browser API key.

like image 722
fstang Avatar asked Jul 01 '16 20:07

fstang

People also ask

Does Google Maps need API key to embed?

You must include an API key with every Maps Embed API request.

Why should I hide my API key?

Not hiding your API key and secret may result in others using your API for free which is possible abuse to you if you paid for it. Attackers might use your credentials for attack and the blame goes on you.

2 Answers

You can create multiple API keys with different restrictions to use them safely. For embedding a map, the Google Maps documentation has instructions for creating a correctly restricted API key so that it cannot be abused for other purposes at Get an API Key - Restricting API keys. It's OK to include a restricted API key in your source code, because you cannot embed a map properly without doing that anyway.

If you need server-side API access, you can create a second API key with less restrictions. That one should be kept secret.

like image 172
Matti Virkkunen Avatar answered Sep 18 '22 21:09

Matti Virkkunen

While the above answers are helpful, none of them addresses the following vulnerability:

Once a user has access to your API key, even if they are restricted to using it only from your domain, they can still use it as much as they want. In the crudest sense, this could mean a million page refreshes (and map loads) in a very small amount of time, consequently putting you over your usage quota.

I haven't come across any solutions that address this issue. Unless I'm missing something...?

Relevant usage limits for google maps javascript api here.

like image 39
Murcielago Avatar answered Sep 21 '22 21:09

Murcielago
Sign in to Comment

Related questions

How to set CSS3 transition using javascript?
Creating stripe token using separate elements
Sort latitude and longitude coordinates into clockwise ordered quadrilateral
How to retrieve the constructor's name in JavaScript?
Action on blur except when specific element clicked with jQuery
Twitter Bootstrap / jQuery - How to temporarily prevent the modal from being closed?
Regular Expression For At Least One Number
Typescript error runtime error: Cannot read property 'prototype' of undefined when extending
How to implement debounce fn into jQuery keyup event?
What is the significance of faded properties when using console.dir in Chrome Developer Tools Console
Problem with HTML Parser in IE
Caching a promise object in AngularJS service
Sequelize - How can I return JSON objects of the database results only?
How do I use a static variable in ES6 class?
Format the text in JavaScript alert box
How do I enable debug mode in Webpack?
How to specify null prop type in ReactJS?
What's the best WYSIWYG editor when using the ASP.NET MVC Framework? [closed]
Difference between assigning function to variable or not
Expected a spy, but got Function

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!