I have obtained a Google Maps API key for my domain.
The examples provided when I obtained my key show the key embedded in request parameters, for example:
<script src="http://maps.google.com/maps?file=api&v=2&sensor=true_or_false&key=my-key" type="text/javascript"></script>
I appreciate that the referrer field in requests must match my domain, is it safe to make my key visible in script tags and the like? Or are there any other steps I should take?
Considering that key has to be included in the <script> tags of your HTML pages, to load the JS files/data from google's servers, there is nothing you can do :
you must put it in your HTML files
every one can take a look at those.
Still, it doesn't really matter : if anyone tries to use this key on another domain than yours, they will get a Javascript alert -- which is not nice for ther users.
So :
There is nothing you can do ; this is the way it works
And there is not much you should worry about, I'd say.
There is setting on Google API console that can protect your API bandwith usage from being used by another domain/user. You can restrict and protect that by using referrer on the API console. API Key will reject requests without referrers that match your restrictions.
Here is screenshot from Google for API Key that can only be used by Google frowm its two domains.
Though this question is a few years old it's a very good one. As I understand it exposing API keys, even if they are domain matched, could still lead to abuse. There's a post on Security Stack Exchange here that covers this in more detail.
The steps that you can take to avoid potential abuse have been published by Google here:
Best Practice Guide for securely using APIs:
https://support.google.com/cloud/answer/6310037?hl=en
Though I would recommend taking all of it on board, there is an approach that would deal with the specific example that was posted by Brabster and that's to store the key in an environment variable. This way all you need to do is to substitute the key for a server-side variable that is stored within your project. However, be sure not to commit the file that stores the key to a public repository.
You should use back end/server side to protect and handle key. In my case I used Django f/w server side which can serve a ajax call to get the key from server script/db then pass it onto google api.
Related
I have generated a Google Map API Key using Google console and currently that has 'None' restriction. It works fine and I am able to consume Google Places API without any problem. I am using Ionic framework and my application is purely based on HTML and AngularJS (JavaScript).
Now as my key works as expected for some duration, it stops working all of a sudden after sometime. Google service returns 'UNKNOWN ERROR' as response for all calls. To resolve this I need to generate another key and without code changes everything works fine. I have used URL https://maps.googleapis.com/maps/api/js?key=AIzaSyDgM6rXXXXXXXXXXXXXXXXXXXXTA68vY5g&callback=&libraries=places and pasted it in browser and copied the content of the generated JavaScript in a file and referring it locally. Also FYI, I don't have any server side code with me.
Now I have precisely 2 questions.
Do I need to change my Google API key every week to keep it active? Or once the restriction is set to 'Android' or 'HTTPS' then the key will work as long as I want?
If I publish my app in Android store is it safe to place the Google API Key in app files (JavaScript or HTML)? Is there a better way of doing it? Google best practices says we should keep it outside root, but then how should I do it?
You might not have billing enabled on your project.
Without billing enabled you only get 1,000 free requests per 24 hour period (calculated as the sum of client-side and server-side requests).
After you enable billing you get up to 150,000 requests per 24 hour period free of charge.
It might be slightly confusing that JS API Places library usage counts against the Places API limit, but that is the case: the daily usage is calculated as the sum of client-side and server-side requests combined.
I've been working with website that uses geocode lookups via Google. I've been testing this for awhile now.
https://maps.googleapis.com/maps/api/geocode/json?address=1600+Pennsylvania+Ave+NW,+Washington,+DC&key=XXXXXXXXXXXXXXXXXXXXXXXXXXX
I've got that key locked to particular servers. All of a sudden I'm seeing geocode lookup errors. The response back from Google is:
{
error_message: "Browser API keys cannot have referer restrictions when used with this API.",
results: [ ],
status: "REQUEST_DENIED"
}
When I try a simple request without the API key at all it seems to work fine. Here you can try this yourself. Copy and paste the next line in your browser's URL and return.
https://maps.googleapis.com/maps/api/geocode/json?address=1600+Pennsylvania+Ave+NW,+Washington,+DC
Now, I probably shouldn't look a gift horse in the mouth, but the whole thing seems odd. If I remove my API keys today, will my websites, that rely on an address to Lat/Lng conversion, all fail tomorrow?
Is anybody else experiencing odd failures with Google Maps and GeoCode lookups? Is anyone aware of a systemic content or policy change from the Google mapping / GeoCoding team??
Edit, update:
So this defect lasted about 40 minutes, from around 9:10PM PST until a bit before 10PM PST. It seems to be fixed now.
Response to comment: Hmmm. I've been looking at the API keys as:
Server keys: Create and use a Server key if your application runs on a
server. Do not use this key outside of your server code. For example,
do not embed it in a web page. To prevent quota theft, restrict your
key so that requests are only allowed from your servers' source IP
addresses.
Browser keys: Create and use a Browser key if your application runs on
a client, such as a web browser. To prevent your key from being used
on unauthorized sites, only allow referrals from domains you
administer.
I'm definitely doing this complete lookup from user directly to Google without a server in the middle. No way can I safely use a Server key there. So I've read your input, and it definitely says Server key for geocoding. But, that really implies that no one should ever allow a browser / client interaction to process a geocode lookup. Frankly I just assumed the writeup was out of date and a bit inaccurate.
While you may be right, the whole thing just looks odd. I would have thought that if Geocode required a lookup from a server (only) and never from a web application via the browser (ever) that there would have been some direct comment as to that effect.
Oh, and the browser keys, with server fencing, seem to be working again. Again, I'm just saying the whole thing is odd. I'm treating this as a temporary hiccup up at the Google geocode servers.
And yes, I can certainly introduce an API server for a round trip Ajax call to do the lookup safely with a server key, but what's the point? Is there a benefit that I'm just not seeing? I guess I could add elements like a nonce to protect my round trip geocode intermediate lookup server from somebody else using it, etc.... But at this point, I'm just confused.
Update #2: 16 Jun 2016
Again, this whole thing is not clear. I filed a feature request to the Google GeoCode team asking for a clarification update to the documentation to address the use of Browser API keys for geocode lookups.
The documentation for the Geocoding Web Service states:
Standard API users: If you're using the API under the standard plan, you must use a server key (a type of API key) set up in a project of your choice.
The error message indicates you are using a browser key.
I am creating an API server which serves a card number validation and transaction insert.
Sample API URL = http://mydomain.com/api.json?cardnumber=2342343244&api_key=jhj67asd234tgbh123
Existing system:
I am providing an api key to client systems (say ebay.com). I am providing a discount if the user have a valid card. So my client will provide a form field to his end users to enter a valid card number.
Problem:
My client is writing ajax request to my domain to process the validation. The problem is the api key is visible in console and anyone can do the request outside of the client system (security loss).
Propose system: Please propose a system where my api key is hidden, so that the request will be processed securely. The solution may be any other way of writing an API.
I have less knowledge about API. Any help will be appreciated.
In my experience there isn't an easy way of doing this.
The only method I know about is providing the client with a one-time key. As soon as its used, it expires and the client will need a new one.
In this manner it doesn't matter that the key is visible in the console as its only ever going to be valid for a single request.
I hope that helps but I'd love to hear about any suggestions anyone else has.
Starting from recently, any request I try to get a static image from the Google Static Map API gets this text response:
This web site needs a different Google Maps API key
According to documentation https://developers.google.com/maps/documentation/staticmaps/#Limits
Note that the use of a key is not required, though it is recommended. Examples in this document do not include the key parameter so that they will work for all users who cut-and-paste the code.
Has this changed and did they forget to document it? There's a warning at the doc page that says the usage limits have changed (though then the usage limit that are claimed are the same as before!!) but it doesn't say that the use of an API key has become required.
If I had hit the usage limit, which I certainly haven't, then I would (or should) get a different response, as I experienced in the past.
The exact same requests used to work until recently.
Can anybody clarify?
Example request:
http://maps.google.com/staticmap?center=45.54309129999999,-73.62077841957398&zoom=16&size=480x360&maptype=mobile&markers=45.54309129999999,-73.62077841957398&sensor=false
I appears you are using an old URL for V1 (whose deprecation period has ended), for V2 it has to be:
https://maps.googleapis.com/maps/api/staticmap?center=45.54309129999999,-73.62077841957398&zoom=16&size=480x360&maptype=hybrid&markers=45.54309129999999,-73.62077841957398&sensor=false&mobile=true
I have a website where you can request data using ajax from our servers as json (only to be used on our site). Now i found that people start using our requests to get data from our system. Is there a way to block users from using our public json API. Ideas that i have been thinking about is:
Some kind of checksum.
A session unique javascript value on the page that have to match server-side
Some kind of rolling password with 1000 different valid values.
All these are not 100% safe but makes it harder to use our data. Any other ideas or solutions would be great.
(The requests that you can do is lookup and translations of zip codes, phone numbers, ssn and so on)
You could use the same API-key authentication method Google uses to limit access to its APIs.
Make it compulsory for every user to have a valid API key, to request data.
Generate API key and store it in your database, when a user requests one.
Link: Relevant Question
This way, you can monitor usage of your API, and impose usage limits on it.
As #c69 pointed out, you could also bind the API keys you generate to the API-user's domain . You can then check the Referer URL ($_SERVER['HTTP_REFERER'] in PHP), and reject request, if it is not being made from the API-user's domain.