[英]should I keep my geocode api key a secret?
I'm working with the geocoding api from google. 我正在使用Google的地址解析API 。 I'll be hitting the following endpoint with ajax like so...
我将像这样用ajax到达以下端点...
$.ajax({
url: https://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&key=MY_API_KEY,
success: function(data) {
console.log("yay");
}
})
Is it safe to add my api key directly into my javascript? 将我的api密钥直接添加到我的javascript中安全吗? This means it will be viewable from my website and also on source control.
这意味着可以从我的网站和源代码管理上查看它。 What precautions should I take?
我应该采取什么预防措施?
No , you should absolutely hide your API key(s) from the client and source control. 不 ,您应该绝对对客户端和源代码管理隐藏您的API密钥。 A malicious user could use the key to exhaust your quota, making your application potentially unusable.
恶意用户可能会使用该密钥来耗尽您的配额,从而使您的应用程序可能无法使用。
To avoid this, create a server which fetches the data from the API and then serves it to the user. 为了避免这种情况,请创建一个服务器,该服务器从API提取数据,然后将其提供给用户。 Additionally, you should apply rate limiting, to prevent users exhausting your quota through your own application.
此外,您应该应用速率限制,以防止用户通过您自己的应用程序耗尽您的配额。
For more information, see this support article . 有关更多信息,请参见此支持文章 。
Consider also using the Geocoding Service in the Google Maps JavaScript API. 还可以考虑使用Google Maps JavaScript API中的地址解析服务 。 When loading the JavaScript API, make sure to use an API key that is restricted to your website .
加载JavaScript API时,请确保使用限于您的网站的API密钥 。
Remember that results from the Google Geocoding services must be displayed on a Google map (see 10.4.d and 10.4.e). 请记住,来自Google地理编码服务的结果必须显示在Google地图上 (请参见10.4.d和10.4.e)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.