I am using the google maps api on my website and would like to use my API key, but I'm confused about how to keep it safe. I know that I could just hardcode the actual key right into index.html
<!DOCTYPE html>
<html>
<head>
<script src="https://maps.googleapis.com/maps/api/js?v=3.exp&sensor=false&key=HARDCODED_KEY"></script>
But then it's right there for anyone to see when they view the source code for the site. I also don't want it to show up in the DOM if someone's viewing the site with a debugging tool, like Firebug.
I'm assuming that there is a way to store it in a separate file (probably outside my html/ directory) that I can source. If anyone could provide an example or comment on whether this approach would be relatively secure, I'd really appreciate the help. I've found other posts on this topic, but none that apply for this (relatively simple) case.
When you use API keys in your Google Cloud Platform (GCP) applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account.
Before sharing your API key, regenerate it and label it as the newest shared key. Don't share API keys through email. Always use HTTPS/SSL for your API requests — some APIs won't field your request if you're not using it. Assign a unique API key to each of your projects and label them accordingly.
API keys aren't as secure as authentication tokens (see Security of API keys), but they identify the application or project that's calling an API. They are generated on the project making the call, and you can restrict their use to an environment such as an IP address range, or an Android or iOS app.
Just set the referrers, as mentioned in the documentation:
To prevent other applications from using your key and consuming your quota, you can limit the IP addresses that can use your API key to send requests:
Visit the Google Developers Console and log in with your Google account.
Select the project that was created for you when you signed up. The project name will start with Google Maps API for Work.
In the sidebar on the left, select Credentials.
Find the key you're using under the Public API Access heading, and click Edit allowed IPs.
Enter the IP addresses from which your key is to be accepted, one per line. You may also enter a subnet using CIDR notation (e.g. 192.168.0.0/22).
Also you may come up with this question after you set the referral, I think you'll find it useful.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With