c335453b api key

Protect your API key (and your credit rating)


You are a rock star. You’ve embedded Google Maps API onto your web site successfully. Somehow this has nearly doubled your sales. Later that week the company gets a call from the bank. You are in overdraft. You are facing bankruptcy. Turns out that API key you embedded you forgot to protect and now some rapscallion has been using it to create instances to mine bit coins. O no. Good thing your resume is up to date.

So what did you do wrong? Well, first understand what that API key is. Its a (by default) unrestricted ability to use the Google API’s as you, in the project you created it. Here we wanted nothing more than to embed a Google map into a web page so people could find us. So how could we restrict it (it is fed to their browser after all).

Well, what you do is click on the ‘restrict API key’ and configure it sort of like the below image. Here we are restricting the key to 3 things:

  1. HTTP only (so the HTTP referrer). This prevents a thief from using it in an app etc.
  2. Certain from domains. Here obviously mine. This means the thief has to be on those websites.
  3. The specific API endpoints. Maps is complex, there are many endpoints needed (Geocoding, directions, etc.). I found this via trial and error.

The API endpoints I needed to enable are:

  • Maps Embed API
  • Maps Static API
  • Maps JavaScript API
  • Places API
  • Geocoding API
  • Geolocation API
  • Directions API

OK now I have saved you $Billions. Pay it forward in karma.