The Google Search Console offers a couple methods for claiming ownership of a site. The recommended one is to download an HTML verification file and upload it to your site. An alternative method is to add a meta tag to your HTML that has a certain unique code as its content
attribute.
Here's my question: If my site is hosted as a public repo on GitHub Pages, is it safe for me to upload said file or to include said meta tag in my HTML if other people can view those? Is there any way for someone to later use those files maliciously to gain access to my Google Search Console account and/or any privileged site traffic/analytics information?
It is totally safe to publish that file. Actually, everyone publishes it if they do upload it to their server or add it to the meta
.
Anyone can access the file by appending the name of it to the URL of any verified Google Search Console
site. It's even easier if they put it in the meta
of a site, since you can always look at the source code. The token that you get from google is totally random and unique. Google just wants to check that you have access to the file system of a server. If somebody else uploads it to their website, you could also prove that their website is yours. The token alone can't authenticate on anything.
The best proof would be that YouTube also published it's token. If you do a TXT
lookup for youtube.com
you get this result:
TXT | youtube.com | google-site-verification=OQz60vR-YapmaVrafWCALpPyA8eKJKssRhfIrzM-DJI
It is safe, and has been done before.
This is about ownership of website, not authentication/authorization to your own Google Search Console (which remains linked to your Google account).
The official documentation is "Google Site Verification API":
Users can only access certain Google services if their verification data shows that they are the owners of the particular website domain.
You can use the API to generate verification tokens for authenticated users, which your code can place in various ways on your websites or domain records on their behalf.
Once the token is in place, you make a call to the API to ask Google to check for the token.
If Google finds the token, it registers the authenticated user as an owner of the website or domain.All API calls need to be authorized by an authenticated user, and all API calls are executed in the context of the authenticated user's account.
That means: even if a third-party gets hold of your token, it cannot do anything with it, since you (the authenticated Google account user) would not authorize any API call done with it.
More specifically:
Google Site Verification API enforces some restrictions on how it is used:
- Data access for authenticated user only: All operations require user authentication and authorization.
- Verification for authenticated user only: The API can only verify ownership of sites or domains for the currently authenticated account.
However, the authenticated user can delegate ownership to other users after their ownership of a site has been verified.
Note that all owners are notified by email whenever changes are made to the ownership list.- Normalized URLs and domain names only: The Google Site Verification API does not support IDN (International Domain Name) encoding.
Be sure to normalize all URLs, domain names, and email address domains to the standard domain name character set (RFC 1034 §3.5) using Punycoding if necessary.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With