How to google maps api keys safe on website

Question

I am using the google maps api on my website and would like to use my API key, but I'm confused about how to keep it safe. I know that I could just hardcode the actual key right into index.html

<!DOCTYPE html>
<html>
<head>
<script src="https://maps.googleapis.com/maps/api/js?v=3.exp&sensor=false&key=HARDCODED_KEY"></script>

But then it's right there for anyone to see when they view the source code for the site. I also don't want it to show up in the DOM if someone's viewing the site with a debugging tool, like Firebug.

I'm assuming that there is a way to store it in a separate file (probably outside my html/ directory) that I can source. If anyone could provide an example or comment on whether this approach would be relatively secure, I'd really appreciate the help. I've found other posts on this topic, but none that apply for this (relatively simple) case.

Answer 1

Just set the referrers, as mentioned in the documentation:

To prevent other applications from using your key and consuming your quota, you can limit the IP addresses that can use your API key to send requests:

Visit the Google Developers Console and log in with your Google account.

Select the project that was created for you when you signed up. The project name will start with Google Maps API for Work.

In the sidebar on the left, select Credentials.

Find the key you're using under the Public API Access heading, and click Edit allowed IPs.

Enter the IP addresses from which your key is to be accepted, one per line. You may also enter a subnet using CIDR notation (e.g. 192.168.0.0/22).

Also you may come up with this question after you set the referral, I think you'll find it useful.