[Google Maps] Google Browser API key exposed in web page source

[Google Maps] Google Browser API key exposed in web page source

  
Forge Component
(13)
Published on 20 Sep (6 days ago) by OutSystems Labs
13 votes
Published on 20 Sep (6 days ago) by OutSystems Labs
In an application in development is required to use Google maps to represent some data. Google maps plugin from Outsystems was used and I get a Browser API key using my personal gmail account.
The behaviour of the google Maps is as expected. All good.

This morning noticed that the Browser API key is exposed when viewing the source of the application in the browser.

There is any way of the Browser API key not being exposed in the app web page source?

Best regards,
Hi Pedro,

According to the Google best pratices there aren't any concerns to expose the Browser API key in the source of the application. What are your concerns with this?

Regards
Hi Magda,

A misuse of the Browser API key can lead to the quota being exceded and also accordantlly to article in https://support.google.com/cloud/answer/6310037 the account can be compromissed.

On the other side this article contradicts the examples given by Goggle where they use the Browser key explicitly in the code.

Being the Browser API key an authentication key, being exposed to the public does not look to be a good idea, independently of the risks involved.

Best regards,
Pedro Cardoso Baptista wrote:
Hi Magda,

A misuse of the Browser API key can lead to the quota being exceded and also accordantlly to article in https://support.google.com/cloud/answer/6310037 the account can be compromissed.

On the other side this article contradicts the examples given by Goggle where they use the Browser key explicitly in the code.

Being the Browser API key an authentication key, being exposed to the public does not look to be a good idea, independently of the risks involved.

Best regards,
 
Hey there, Pedro,

Indeed, this is advocated by Google itself, but I understand your concern: if someone takes hold of your key, they'll use up your quota, right? Well, I think this is only true if you don't configure your keys to work ONLY on specific URLs (like we ourselves do).

What I'm guessing they're refferring to here are server to server API keys (such as the one for Geocoding), which, if captured, allows indiscriminate access (as long as billing allows, anyway ;) ). The Google Maps JavaScript API, on the other hand, will NOT run if the script tag is present a web site whose URL does not match the mentioned configurations.

So long story short: I think you're safe exposing that specific key, as it's blocked from running on other URLs. Just make sure the Server key (used for geocoding calls) is stored safely, even if it has similar list.

Was I able to convince you? If not, just ask and clear it up :)

Best regards,

Carlos Simões
Hi Carlos,

Your explanation makes sense.

Locking the API key to specific URLs should be enough.

?Thank you.

Best regards,