堆栈内存溢出
  简体   繁体   English

我应该对我的地址解析API密钥保密吗?

[英]should I keep my geocode api key a secret?

 原文  2016-10-25 02:11:31       javascript/ api/ api-key/ google-geocoding-api

问题描述

I'm working with the geocoding api from google. 我正在使用Google的地址解析API I'll be hitting the following endpoint with ajax like so... 我将像这样用ajax到达以下端点... 

$.ajax({
  url: https://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&key=MY_API_KEY,
  success: function(data) {
    console.log("yay");
  }
})

Is it safe to add my api key directly into my javascript? 将我的api密钥直接添加到我的javascript中安全吗? This means it will be viewable from my website and also on source control. 这意味着可以从我的网站和源代码管理上查看它。 What precautions should I take? 应该采取什么预防措施?

2 个解决方案

解决方案1
 3  2016-10-25 02:15:03

No , you should absolutely hide your API key(s) from the client and source control. ,您应该绝对对客户端和源代码管理隐藏您的API密钥。 A malicious user could use the key to exhaust your quota, making your application potentially unusable. 恶意用户可能会使用该密钥来耗尽您的配额,从而使您的应用程序可能无法使用。

To avoid this, create a server which fetches the data from the API and then serves it to the user. 为了避免这种情况,请创建一个服务器,该服务器从API提取数据,然后将其提供给用户。 Additionally, you should apply rate limiting, to prevent users exhausting your quota through your own application. 此外,您应该应用速率限制,以防止用户通过您自己的应用程序耗尽您的配额。

For more information, see this support article . 有关更多信息,请参见此支持文章

解决方案2
 1  2017-09-04 08:41:33

Consider also using the Geocoding Service in the Google Maps JavaScript API. 还可以考虑使用Google Maps JavaScript API中的地址解析服务 When loading the JavaScript API, make sure to use an API key that is restricted to your website . 加载JavaScript API时,请确保使用限于您的网站的API密钥

Remember that results from the Google Geocoding services must be displayed on a Google map (see 10.4.d and 10.4.e). 请记住,来自Google地理编码服务的结果必须显示在Google地图上 (请参见10.4.d和10.4.e)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 是否建议将 Giphy API 密钥保密? - Is it recommended to keep a Giphy API key secret? 如何在 next.js 部署中保留我的 API 机密? - How can I keep my API secret out of my next.js deploy? 不隐藏我的 API 密钥和秘密有什么风险? - What are the risks of not hiding my API key and secret? 我的代码在多个位置使用带有密钥的 API。 如何在不上传密钥的情况下将代码上传到 GitHub? - My code uses an API with secret key in several locations. How can I upload the code to GitHub without also uploading my key? 使用API​​ Key + Secret On Express保护我的RESTful API - Securing my RESTful API with API Key + Secret On Express 注入秘密api密钥 - Injecting secret api key 如何创建环境变量以保护我的网站的Google Maps API密钥(或任何其他秘密值)? - How do I create environment variables to protect my Google Maps API Key(or any other secret value) for my website? 如何为google.maps.Geocoder()。geocode()传递Google API密钥 - how can I pass the Google API Key for google.maps.Geocoder().geocode() 我该如何保持出版物的反应? - How should I keep my publication reactive? 我应该保持我的Redis连接持久吗? - Should I keep my redis connection persistent?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM