问题
I am currently developing an Ionic app where I have an embedded Google Map. The Google Maps V3 API recommends using an API key for tracking usage. The thing is when I create an API Key for browser usage I can only secure my API key by specifying referrers. Now I don't have a referrer on mobile devices so what can I do to avoid that other people can also use my API key?
回答1:
The way I see it you have two options:
- You can not secure it at all, since in order for someone to get the key they will need to extract it from your application. In most cases even if someone were to obtain the key, it is doubtful they would use it for anything malicious since they could just get their own key. This is a risk you have to assess on a project by project basis and decide if it is something you can tolerate.
- The second option is to secure it down to a specific referrer and then spoof the referrer being used by your web views on the device. There are a few examples on stack overflow on how to do this. See Specifying HTTP referer in embedded UIWebView
Either way, it is still possible for someone to get your key and use it to make requests on your behalf. They could do it by spoofing the referrer themselves even if you go that route since it is a header provided by the client browser.
回答2:
I think the best way to do this is to create a proxy server which use server key to call the API, and where require user login with their userID (if your app need to login) or may be device id. At least you have some control over what is happening.
来源:https://stackoverflow.com/questions/29157626/how-to-secure-my-google-maps-javascript-v3-api-key-within-an-ionic-cordova-app