Google API key in page source?

  • Resolved gb24

    (@gb24)


    1 year, 8 months ago

    I recently received an email from Google about a “Publicly accessible Google API key for Google Cloud Platform project”, referring to a page on my website. When looking at the page source I see the API key in 2 places where a JS script is called. Should I be concerned since I have restricted the key usage to specific websites?

    Here is one of the JS calls:

    <script src='https://maps.googleapis.com/maps/api/js?v=3&libraries=places,drawing&key=xxxxxxxxxxx' id='mappress-google-js'></script>
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author chrisvrichardson

    (@chrisvrichardson)

    Hi,

    The API key is always visible on the page (that’s just how Google Maps works). In theory, someone else could use your key if it’s unrestricted (to show their own maps).

    To prevent that, you can restrict the key by “referer” to make sure that it’s only used on your site. Please see the MapPress FAQ for more information, and a link to Google’s FAQ about how to restrict keys.

    I’m not sure why you received an email if your key is already restricted – maybe Google just sent a notice for every key? In any case, it’s probably worth just double checking that a referer restriction is present.

    Thread Starter gb24

    (@gb24)

    Thank you so much for the quick reply and resolution!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Google API key in page source?’ is closed to new replies.

Tags