Mobile app version of vmapp.org
Login or Join
Mendez628

: Restricting Google Maps js API keys to just my domain My site uses the Google Maps javascript API, so I'm using a "Browser key", which is plainly visible in my javascript to anyone who does

@Mendez628

Posted in: #Google #GoogleMaps #Javascript #Security

My site uses the Google Maps javascript API, so I'm using a "Browser key", which is plainly visible in my javascript to anyone who does "View Source".

Google's documentation on Browser keys in javascript apps (https://support.google.com/cloud/answer/6158862?hl=en&ref_topic=6262490) says: "Create and use a Browser key if your application runs on a client, such as a web browser. To prevent your key from being used on unauthorized sites, only allow referrals from domains you administer."

Unfortunately there are no instructions about how to implement what they say in that last sentence (restricting the domains for browser keys). I've been hunting around the menus and haven't been able to figure out how to do it.

The closest I've gotten is: In console.cloud.google.com I clicked on the hambuger and selected "API Manager," then clicked on "Credentials," clicked on the tab labeled "Domain verification." I have no idea if that's the right place to go to, but it's the only place that I found that mentions domains. While on that tab, I clicked "Add domain" and added a domain. But that didn't restrict the keys to that domain. I tested the Browser key on a different domain, and the key worked on that other domain.

Can anyone provide step-by-step instructions for how to make the Browser key only usable from one domain?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Mendez628

1 Comments

Sorted by latest first Latest Oldest Best

 

@Courtney195

Google changes this around every now and then, and whenever they do I have to 're-find' where each of the settings are.

So you're not alone!

You're right that a browser key is essentially 'public' and should be limited by domain to protect it from being stolen. It's worth noting the worst that can happen if its stolen is that someone could use up your free API request limit (assuming you're not on a billing plan of course) and cause requests from your site to be denied. You could then remove the key and create a new one without too much trouble. But of course, it's much better to avoid this altogether!

To limit API requests to come from your domain(s) only, start at the Google API Console, then:


Click the hamburger menu at the top left
Click API Manager
Click Credentials
Select or create your project
Click Create Credentials, then choose API key and Browser Key
Enter the name for your key (this is just for you to identify it by)
Under Accept requests from these HTTP referrers (websites), this is where you limit the key to your domain name - you can enter *.domain.com/* to cover anything on your domain.
Click Create


If you're editing a key that you've already created, instead of step 5 and 6 above just click the name of the key, and you'll see the same field there ready for you to enter your domain name into.

The Domain Verification you found causes Google to check that you have already verified ownership of your domain in the Search Console. This allows Google to send hooks back to your domain which I imagine are required for some of the APIs (I'm not sure which ones as all I generally use is the JavaScript Maps API, which is fairly simple!)

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme