I'm currently trying to use the Google Maps API for a friend's website, but I'm limited to a no-code website builder that only allows custom HTML and JavaScript. This means I have to embed the API key directly within the HTML, which makes me uncomfortable regarding security. I know I can limit the domain and API usage on the Google side, but I'm looking for more secure methods. Any advice would be appreciated!
2 Answers
It sounds like you're dealing with a tricky situation. If your no-code platform only allows front-end customization, you might need to rethink your setup. Using a service that provides backend capabilities would be ideal for keeping your API keys secure. Remember, any secret stored on a device you don't control is not really a secret. So, if you can, try to use a reverse proxy to handle API requests. This way, your key is kept out of the frontend code and is safely stored on a server instead. It's a more secure option, even if it's a bit more complex.
So there's no way to secure it just by using the no-code platform? That really limits what you can do.
Some API keys are actually fine to be public, especially if they're meant for public use. If you're concerned about security, just focus on setting referrer and service restrictions on the Google Cloud Console for your API key. That should provide a decent level of protection against casual misuse, but keep in mind that savvy users could potentially bypass this. In any case, always be sure to monitor your API usage as well!
Hmm, I guess limiting the request domain should be enough then? Just looking for some reassurance here!
It's definitely worth discussing! There are always new ideas out there.
Good point made there! Makes sense, right?