Based on documentation here
I added http restrictions using wildcards like so:
https://*.mydomain.com
https://*.mydomain.com/*
This should cover all paths for all subdomains, but I receive RefererNotAllowedMapError error when I try to use https://www.dev.mydomain.com/#/
I even tried explicitly adding https://www.dev.mydomain.com/#/, but I get same error.
I am totally lost and have no idea what to do. Clearly other people are using Google Maps APIs and not leaving them totally unrestricted so there has to be a way to do this.
Try adding these two HTTP restrictions instead:
*.mydomain.com/*
mydomain.com/*
These two will allow your API key to be used in all sub-domains and paths in your website.
Adding (*.) before your domain will allow something like "www.mydomain.com" or "dev.domain.com" to access your API key.
Adding (*) after your domain will allow something like "domain.com/path" to access your API key.
Related
First of all I want to use Google Places API for autocomplete. I have created API key and it works fine. I make api calls from client so I need to protect or restrict it. I tried to use HTTP restriction, but it doesn't work with Places API. There are recommendation in the docs to use IP restriction but it requires that some proxy server to make api calls. So which way is right? Do I need proxy server with IP restriction to make api calls? Or is there some way to make secure api calls from client?
Normally, when you are calling the requests from the Client-Side, it should be restricted via HTTP referrers, and IP address restrictions are used when you are calling the requests from the server-side which has a static IP address. If you're calling from the Client-Side and your HTTP restrictions are not working, it will be best to file a support case via https://console.cloud.google.com/google/maps-apis/support in order to open personalized communication channel as this must be an isolated case and might have something to do with your configuration in your GCP console.
I would also recommend to check the sample HTTP restriction below:
example.com
*.example.com
These two will allow your API key to be used in all subdomains and paths in your website.
I know I have to set the credentials I have done so, I have waited about half an hour between credential change, I've tried many domains, ports, and I still get the RefererNotAllowedMapError
These are the values I've set in my API key credentials properties:
https://gist.github.com/onzag/23b01979d9bd99c749d8a998c4fa841d
I've tried no value at all, I've tried even an open api key with no restrictions at all (which gives a different error and says that it's expired); I've created a couple of dozen api keys with different combinations, no luck.
I've tried exact paths, without wildcards, different domains, I've removed the protocol; I've read every single trick I can find online and nothing does the job.
Does anyone have an idea? Do I need to create a new developer account?...
I figured it out for anyone else struggling with a impossible to fix RefererNotAllowedMapError, it has nothing to do with your credentials, at all, you are forced to enable google maps javascript API even if the development guide says that places is an independent API from maps.
The error is totally misleading there's nothing wrong with your credentials.
I receive a 403 error in google maps API dashboard for the geocoding API after limiting the key to my domain. The geocoding works when the key is unrestricted. Currently I have the following as acceptable HTTP referrers:
https://website.com/*
https://www.website.com/*
This allows my basic javascript map and autocomplete forms to work on HTML pages. However, the geocoding is done through a python script that accesses website.com/markers (has no HTML page, just displays JSON data if you visit it). Is there a reason it will not work? The 403 error is what I see in the API dashboard, but I receive an internal server error message when visiting website.com/markers. When unrestricted, the dashboard shows response code 200 and I can see the correct JSON data. Therefore, I believe my code is not the issue.
Things I have tried:
Allowing “https://website.com/markers” as a referrer, as well as www. version of that, and http versions. Also used versions without http or https.
Changing to allow IP address of website (referrer not allowed error happens when I do this)
Double checking all references to API key in code. Code works in development and in production when unrestricted.
Double checked that all needed services are enabled in Google api console and not over quotas.
I have searched for this issue for hours and cannot find an answer, please go easy on me if I have overlooked something simple.
It sounds like you're trying to use the method of URL restriction intended for use with client-side web api's. In that case, the public URL of the site is used in the validation.
You want to use the IP address validation, intended for server-side calls.
The following is from https://developers.google.com/maps/faq#keysystem:
API Key: An API key is a unique identifier that you generate using the
Google API Console. API keys are generally used with the standard
APIs. Premium Plan customers1 typically can choose to use a client ID
or an API key. You can choose to use an API key without applying
restrictions (called a “generic API key”) or a key with restrictions
applied for greater security. APIs in any platform may use a generic
API key.
You can optionally add a restriction (for example, IP address) to the
API key. Once restricted, a key will only work on platforms that
support that type of restriction. Four types of API key restrictions
are available:
IP addresses (individual servers) - for use with the web service APIs.
HTTP referrers (web sites) - for use with the Web APIs.
Android app restriction (by package name and fingerprint) - for use with the Android APIs.
iOS app restriction (by iOS bundle identifier) - for use
with the iOS APIs.
You need a different key for the webservices. You can't apply both HTTP and IP restrictions on the same key. You need HTTP Restrictions on your Google Maps Javascript API v3 key and IP Restrictions on your web service key.
Starting from recently, any request I try to get a static image from the Google Static Map API gets this text response:
This web site needs a different Google Maps API key
According to documentation https://developers.google.com/maps/documentation/staticmaps/#Limits
Note that the use of a key is not required, though it is recommended. Examples in this document do not include the key parameter so that they will work for all users who cut-and-paste the code.
Has this changed and did they forget to document it? There's a warning at the doc page that says the usage limits have changed (though then the usage limit that are claimed are the same as before!!) but it doesn't say that the use of an API key has become required.
If I had hit the usage limit, which I certainly haven't, then I would (or should) get a different response, as I experienced in the past.
The exact same requests used to work until recently.
Can anybody clarify?
Example request:
http://maps.google.com/staticmap?center=45.54309129999999,-73.62077841957398&zoom=16&size=480x360&maptype=mobile&markers=45.54309129999999,-73.62077841957398&sensor=false
I appears you are using an old URL for V1 (whose deprecation period has ended), for V2 it has to be:
https://maps.googleapis.com/maps/api/staticmap?center=45.54309129999999,-73.62077841957398&zoom=16&size=480x360&maptype=hybrid&markers=45.54309129999999,-73.62077841957398&sensor=false&mobile=true
I have obtained a Google Maps API key for my domain.
The examples provided when I obtained my key show the key embedded in request parameters, for example:
<script src="http://maps.google.com/maps?file=api&v=2&sensor=true_or_false&key=my-key" type="text/javascript"></script>
I appreciate that the referrer field in requests must match my domain, is it safe to make my key visible in script tags and the like? Or are there any other steps I should take?
Considering that key has to be included in the <script> tags of your HTML pages, to load the JS files/data from google's servers, there is nothing you can do :
you must put it in your HTML files
every one can take a look at those.
Still, it doesn't really matter : if anyone tries to use this key on another domain than yours, they will get a Javascript alert -- which is not nice for ther users.
So :
There is nothing you can do ; this is the way it works
And there is not much you should worry about, I'd say.
There is setting on Google API console that can protect your API bandwith usage from being used by another domain/user. You can restrict and protect that by using referrer on the API console. API Key will reject requests without referrers that match your restrictions.
Here is screenshot from Google for API Key that can only be used by Google frowm its two domains.
Though this question is a few years old it's a very good one. As I understand it exposing API keys, even if they are domain matched, could still lead to abuse. There's a post on Security Stack Exchange here that covers this in more detail.
The steps that you can take to avoid potential abuse have been published by Google here:
Best Practice Guide for securely using APIs:
https://support.google.com/cloud/answer/6310037?hl=en
Though I would recommend taking all of it on board, there is an approach that would deal with the specific example that was posted by Brabster and that's to store the key in an environment variable. This way all you need to do is to substitute the key for a server-side variable that is stored within your project. However, be sure not to commit the file that stores the key to a public repository.
You should use back end/server side to protect and handle key. In my case I used Django f/w server side which can serve a ajax call to get the key from server script/db then pass it onto google api.