Login/Register
Google geocoding API security
Asked Answered
google-apigoogle-geocoding-apigoogle-geolocation
R

1

5

I am asking this question after extensively reading Google's recommended approach, but I do have a problem with all these approaches, let me explain the situation.

I use combination of geolocation and geocoding API to know the approximate state location and then display relevant content. The geolocation API needs to be called obviously from the browser to get appropriate geolocation of the user. Google provides HTTP Referrer based restriction for this API. I know someone can easily spoof the referrer and make calls with the same API key. I do not see a huge advantage even though Google recommends this.

On the other hand Google does not allow HTTP Referrer for geocoding API, but it does allow that for the MAPS JavaScript API. But again if you are not using Google maps then using that API is violation of Google's terms. Now google recommends to move the code that uses geocoding web services API to be on the back-end so that your key will be protected. But since ultimately I need to deliver the result to a front-end web application that is publicly accessible and I can only make a browser based Ajax call to first get the geolocation to feed to geocoding, I ultimately need to make an Ajax call to get my geocoding information. Then someone can easily just latch onto my end-point to piggy back on and call the geocoding API as much as they want. So for situations like this I want to know what is the ideal and secured way to deal with. May be there are other APIs that might be an ideal situation for this.

Rico answered 22/7, 2018 at 19:5 Comment(3)
I am having a very similar issue in trying to make the key more secure and do not have an answer for you but I do want to comment on the key location. You can create a folder on the Web server that is outside the HTTP space and it will still be accessible by the site's programming with no need to use Ajax in order to reach it. However, it's not clear of the gain in security since it still needs to be called somehow (it's called from inside a PHP function on my sites) in order for it to work.Perceptual
@DonP I do not understand what do you mean by it is called from PHP? The interaction is from client side correct? If it is from client side merely keeping it away from web root and then using your server side language to inject it to the dom so that client side code can use it does not make any difference whether calling it using ajax or loading it via server side renderingRico
I'm not using it from client side and have no clue how to do that. All my programming is PHP including a function that generates the URL itself and a couple more that work together to provide the values that the site needs, which it inserts into the database.Perceptual
P
6

In my case, I am not doing any maps so it's all purely server-side to get latitudes, longitudes and driving distance between two points. This today from Google support which might help and if you're using maps, then the links may provide further insight.

Regarding API restrictions, please note that HTTP referrers will not work on Geocoding API since HTTP referrers can only be used for client side services. In other words, Geocoding is a web service API and should only be used on server-side implementation. IP address restrictions should be used for web service APIs. However, if you are using the Geocoding API in a website, IP address restriction would not work. Please check the suitable restrictions for each API in the following link:

https://developers.google.com/maps/api-key-best-practices#api_key_table

To make this work, you should create a separate key and use the new one in your Geocoding API request URL. You may add a restriction to this key by using an "API restriction", and restrict it to Geocoding API only. If you don't want to create another key, you may keep using your current one but make sure to change your implementation and use the client side Geocoding service from the Maps JavaScript API. In that case, please refer to this documentation:

https://developers.google.com/maps/documentation/javascript/geocoding

Another suggestion would be to get a static IP address from your ISP, especially if you are planning to use it on a public website. For development purposes, a sound solution would be to get three separate keys: one for the staging and tests, another for server-side requests and a third one for client-side requests. That way, you are making sure your API key is protected.

Perceptual answered 28/2, 2019 at 19:15 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.