1. 技术文章
  2. Do I need to hide API key when using google maps js API? If so, how?

Do I need to hide API key when using google maps js API? If so, how?

烂漫一生 提交于 2019-12-21 03:15:19

问题


According to https://developers.google.com/maps/documentation/javascript/tutorial#HTML5 , it seems I can add the following tag to my html and start using maps js API.

<script async defer
      src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap">
</script>

But this will reveal my API key.

After searching on google and browsing answers on stackoverflow, I feel that maybe there is no need to hide this API key. I just need to set the referer when I create the API key on google, as explained in https://stackoverflow.com/a/2256312/1316649

So, even others know my API key, they cannot use it from another domain. Am I right?

But google says you shouldn't embed API key in code: https://support.google.com/cloud/answer/6310037

So, do I need to hide API key when using google maps js API? If so, how?

Update: By 'API key', I meant browser API key.


回答1:


There are multiple types of API keys for Google Maps. There's browser keys, which are to be used when embedding the client side libraries, and that's OK to reveal to people (you need to use it on the client side so you can't avoid that anyway). Then there's server-side keys which are used for things such as geocoding services. Those are supposed to be kept secret.

Just make sure you're using a browser key.




回答2:


While the above answers are helpful, none of them addresses the following vulnerability:

Once a user has access to your API key, even if they are restricted to using it only from your domain, they can still use it as much as they want. In the crudest sense, this could mean a million page refreshes (and map loads) in a very small amount of time, consequently putting you over your usage quota.

I haven't come across any solutions that address this issue. Unless I'm missing something...?

Relevant usage limits for google maps javascript api here.




回答3:


The link that you posted that says you shouldn't embed API keys in code is related to Google's Cloud Platform. You are fine to leave your API key for Google Maps in your code.




回答4:


I would recomend restricting your API keys to only be used by the IP addresses & referrer URLs that need them: By restricting the IP addresses, referrer URLs, you can reduce the impact of a compromised API key.

You can specify the hosts and apps that can use each key from the console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.

This should help you to secure your API keys.

Jeff



来源:https://stackoverflow.com/questions/38153734/do-i-need-to-hide-api-key-when-using-google-maps-js-api-if-so-how

标签
javascript
html
google-maps
google-maps-api-3
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!