Skip to Content (Press Enter)
OutSystems.com
Personal Edition
Community
Support
Training
Training
Online Training
Developer Schools
Boot Camps
Certifications
Tech Talks
Documentation
Documentation
Overview
ODC
O11
Forums
Forge
Get Involved
Get Involved
Jobs
Ideas
Members
Mentorship
User Groups
Platform
Platform
ODC
O11
Search in OutSystems
Log in
Get Started
Back to Forums
Pedro Cardoso Baptista
661
Views
4
Comments
[Google Maps Web] Google Browser API key exposed in web page source
Question
Forge
Maps
Security
Google Maps Web (O11)
Forge asset by
Labs
In an application in development is required to use Google maps to represent some data. Google maps plugin from Outsystems was used and I get a Browser API key using my personal gmail account.
The behaviour of the google Maps is as expected. All good.
This morning noticed that the Browser API key is exposed when viewing the source of the application in the browser.
There is any way of the Browser API key not being exposed in the app web page source?
Best regards,
Magda Pereira
Hi Pedro,
According to the Google best pratices there aren't any concerns to expose the Browser API key in the source of the application. What are your concerns with this?
Regards
Pedro Cardoso Baptista
Hi Magda,
A misuse of the Browser API key can lead to the quota being exceded and also accordantlly to article in https://support.google.com/cloud/answer/6310037 the account can be compromissed.
On the other side this article contradicts the examples given by Goggle where they use the Browser key explicitly in the code.
Being the Browser API key an authentication key, being exposed to the public does not look to be a good idea, independently of the risks involved.
Best regards,
1 reply
09 May 2016
Show thread
Hide thread
Carlos Filipe Simões
Staff
Pedro Cardoso Baptista
wrote:
Hi Magda,
A misuse of the Browser API key can lead to the quota being exceded and also accordantlly to article in https://support.google.com/cloud/answer/6310037 the account can be compromissed.
On the other side this article contradicts the examples given by Goggle where they use the Browser key explicitly in the code.
Being the Browser API key an authentication key, being exposed to the public does not look to be a good idea, independently of the risks involved.
Best regards,
Hey there, Pedro,
Indeed, this is advocated by Google itself, but I understand your concern: if someone takes hold of your key, they'll use up your quota, right? Well, I think this is only true if you don't configure your keys to work ONLY on specific URLs (
like we ourselves do
).
What I'm guessing they're refferring to
here
are server to server API keys (such as the one for
Geocoding
), which, if captured, allows indiscriminate access (as long as billing allows, anyway ;) ). The Google Maps JavaScript API, on the other hand, will NOT run if the script tag is present a web site whose URL does not match the mentioned configurations.
So long story short: I think you're safe exposing that specific key, as it's blocked from running on other URLs. Just make sure the Server key (used for geocoding calls) is stored safely, even if it has similar list.
Was I able to convince you? If not, just ask and clear it up :)
Best regards,
Carlos Simões
Pedro Cardoso Baptista
Hi Carlos,
Your explanation makes sense.
Locking the API key to specific URLs should be enough.
?Thank you.
Best regards,
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting.
See the full guidelines
Loading...