Is this your API Key?

  • Resolved Jeffrey2915

    (@jeffrey2915)


    1 year, 8 months ago

    I recently received an alert from Google informing me that “We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project.”

    I looked at the source code for my web page where Google states this API key is located, and indeed found it, inside the code for a WP Go Map I have embedded in the page.

    It starts:

    (script src=’//maps.googleapis.com/maps/api/js?v=quarterly&language=en&key=AIzaRedactedForPrivacy;libraries=geometry%2Cplaces%2Cvisualization&ver=6.1.1′ id=’wpgmza_api_call-js’ data-usercentrics=”Google Maps”>
    <script id=’wpgmza_dummy-js-extra’)

    How to rectify this?

    • This topic was modified 1 year, 8 months ago by Jeffrey2915.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author DylanAuty

    (@dylanauty)

    Hi @jeffrey2915,

    Thank you for getting in touch, we do appreciate your time.

    The inclusion of the API key in that script call is within the specification provided by Google for loading their API, meaning this is a standard approach to including the API which our plugin uses to render maps and place markers.

    With that said, we’d be interested to see the report you received, so that we can get a better understanding of the context in which this was received. Is that something you would be open to sharing with us?

    Additionally, could I ask you to confirm that you have followed our documentation on restricting access to your API key as documented here: https://www.wpgmaps.com/documentation/ensuring-your-referrers-are-properly-inserted/ – This protects your key from being used publicly.

    Thread Starter Jeffrey2915

    (@jeffrey2915)

    Thanks for your response!

    I inherited this website project from a previous designer, so I don’t know its history. Following your instructions for restricting API Keys, I indeed found a key of the same name in the Google Analytics account, though I’m unsure of its origins or purpose. Can you speculate?

    I also found that the first version of your filters (.example.com/), specifically the dot prefix, was missing, so have now added it. I also regenerated the Key, as suggested by Google.

    Do I need to do anything else?

    If you’re still interested in the alert I received from Google, is there a contact from or email address to which I can send it?

    Thanks!

    Plugin Author DylanAuty

    (@dylanauty)

    Hi @jeffrey2915,

    Thank you for confirming, I do appreciate it. Based on the information you’ve shared, you key should be secured. You shouldn’t need to take any additional action now that the key has been regenerated (as it was shared here). Just confirming, have you also updated the key in our plugin settings area?

    No need to send us a copy of the email, we received a few of these over the weekend so we have a good sample of the email. This seems to be a new automated email being sent out to users of the Google Maps API as a precautionary measure.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Is this your API Key?’ is closed to new replies.