Pedro Cardoso Baptista wrote:
Hey there, Pedro,
Indeed, this is advocated by Google itself, but I understand your concern: if someone takes hold of your key, they'll use up your quota, right? Well, I think this is only true if you don't configure your keys to work ONLY on specific URLs (like we ourselves do).
What I'm guessing they're refferring to here are server to server API keys (such as the one for Geocoding), which, if captured, allows indiscriminate access (as long as billing allows, anyway ;) ). The Google Maps JavaScript API, on the other hand, will NOT run if the script tag is present a web site whose URL does not match the mentioned configurations.
So long story short: I think you're safe exposing that specific key, as it's blocked from running on other URLs. Just make sure the Server key (used for geocoding calls) is stored safely, even if it has similar list.
Was I able to convince you? If not, just ask and clear it up :)
Best regards,
Carlos Simões
Hi Magda,
A misuse of the Browser API key can lead to the quota being exceded and also accordantlly to article in https://support.google.com/cloud/answer/6310037 the account can be compromissed.
On the other side this article contradicts the examples given by Goggle where they use the Browser key explicitly in the code.
Being the Browser API key an authentication key, being exposed to the public does not look to be a good idea, independently of the risks involved.
Best regards,
A misuse of the Browser API key can lead to the quota being exceded and also accordantlly to article in https://support.google.com/cloud/answer/6310037 the account can be compromissed.
On the other side this article contradicts the examples given by Goggle where they use the Browser key explicitly in the code.
Being the Browser API key an authentication key, being exposed to the public does not look to be a good idea, independently of the risks involved.
Best regards,
Hey there, Pedro,
Indeed, this is advocated by Google itself, but I understand your concern: if someone takes hold of your key, they'll use up your quota, right? Well, I think this is only true if you don't configure your keys to work ONLY on specific URLs (like we ourselves do).
What I'm guessing they're refferring to here are server to server API keys (such as the one for Geocoding), which, if captured, allows indiscriminate access (as long as billing allows, anyway ;) ). The Google Maps JavaScript API, on the other hand, will NOT run if the script tag is present a web site whose URL does not match the mentioned configurations.
So long story short: I think you're safe exposing that specific key, as it's blocked from running on other URLs. Just make sure the Server key (used for geocoding calls) is stored safely, even if it has similar list.
Was I able to convince you? If not, just ask and clear it up :)
Best regards,
Carlos Simões