javascript - How to google maps api keys safe on website - Stack Overflow

admin管理员组

文章数量:1324457

I am using the google maps api on my website and would like to use my API key, but I'm confused about how to keep it safe. I know that I could just hardcode the actual key right into index.html

<!DOCTYPE html>
<html>
<head>
<script src=".exp&sensor=false&key=HARDCODED_KEY"></script>

But then it's right there for anyone to see when they view the source code for the site. I also don't want it to show up in the DOM if someone's viewing the site with a debugging tool, like Firebug.

I'm assuming that there is a way to store it in a separate file (probably outside my html/ directory) that I can source. If anyone could provide an example or ment on whether this approach would be relatively secure, I'd really appreciate the help. I've found other posts on this topic, but none that apply for this (relatively simple) case.

I am using the google maps api on my website and would like to use my API key, but I'm confused about how to keep it safe. I know that I could just hardcode the actual key right into index.html

<!DOCTYPE html>
<html>
<head>
<script src="https://maps.googleapis./maps/api/js?v=3.exp&sensor=false&key=HARDCODED_KEY"></script>

But then it's right there for anyone to see when they view the source code for the site. I also don't want it to show up in the DOM if someone's viewing the site with a debugging tool, like Firebug.

I'm assuming that there is a way to store it in a separate file (probably outside my html/ directory) that I can source. If anyone could provide an example or ment on whether this approach would be relatively secure, I'd really appreciate the help. I've found other posts on this topic, but none that apply for this (relatively simple) case.

• javascript
• api
• google-maps-api-3
• api-key

Share Improve this question Follow asked Sep 24, 2015 at 14:22 Megan MallardMegan Mallard 8911 silver badge66 bronze badges 2

• 3 The browser key is safe to display in you HTML (it has to be there and sent to the browser). You need to set the referrers for the key so it only works on sites you own. – geocodezip Commented Sep 24, 2015 at 14:29
• 1 @geocodezip Thanks for the clarification. I saw some documentation that warned against putting api keys directly in code, so I thought I needed a better solution. But it sounds like as long as I set it up through the google developers console so that only my site can use the key, then it's secure even if it's hardcoded. Cool :) – Megan Mallard Commented Sep 24, 2015 at 14:34

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 7

Just set the referrers, as mentioned in the documentation:

To prevent other applications from using your key and consuming your quota, you can limit the IP addresses that can use your API key to send requests:

Visit the Google Developers Console and log in with your Google account.

Select the project that was created for you when you signed up. The project name will start with Google Maps API for Work.

In the sidebar on the left, select Credentials.

Find the key you're using under the Public API Access heading, and click Edit allowed IPs.

Enter the IP addresses from which your key is to be accepted, one per line. You may also enter a subnet using CIDR notation (e.g. 192.168.0.0/22).

Also you may e up with this question after you set the referral, I think you'll find it useful.

Store the API in a text file. Then, use jQuery $.get() to retrieve it. Make sure the configure your .htaccess file to disallow direct TXT file access.

To load Google Maps API dynamically, use $.getScript() in your code, right before you need the map.

Google also remends restricting API usage by referral and/or IP address.

本文标签： javascriptHow to google maps api keys safe on websiteStack Overflow