Is there a way to use Google maps apis on the web without exposing the key?

Re host header seems an odd way for Google to do it, surely they would have fixed that by now? I guess not a huge problem as attackers would have to proxy traffic or something to obscure the host headers sent by real clients? Any links on how people exploit this?

▲

KomoD 2 hours ago | parent | next [-]

What is there to fix? It was designed this way.

Something that can be abused is if the key also has other Maps APIs enabled, like Places API, Routes API or Static APIs especially for scraping because those produce valuable info beyond just embedding a map.

The only suggestions I have are:

- If you want to totally hide the key, proxy all the requests through some server.

- Restrict the key to your website.

- Don't enable any API that you don't use, if you only use the Maps Javascript API to embed a map then don't enable any other Maps API for that key.

▲

yla92 7 hours ago | parent | prev [-]

Google's own recommended practices https://developers.google.com/maps/api-security-best-practic...

	▲	grey-area 7 hours ago \| parent [-]
		It would be helpful if you answer the question about web api usage, most of that is not relevant. The only suggestion I see there from a quick skim that would avoid the above is for customers to set up a google maps proxy server for every usage with adds security and hides the key. That is completely impractical suggestion for the majority of users of embedded google maps.