How to secure Google API key?

I’ve successfully setup Google Places API call to have autosuggest/complete on address forms. Besides the website restrictions in the Cloud Console credential setup, is there anything else I should be doing to prevent unauthorized use?

1 Like

You need to whitelist the IP in your Google Cloud Console, by whitelisting your WeWeb’s instances IP and turning on CORS for the REST API requests - this way it’s not the client hitting the API, but your (WeWeb’s) CORS proxy. Or at least that’s how I remember I did it, I would have to look into it.

using weweb’s server with the CORS option only moves the problem without taking care of it. Yes you can restrict by ip address now but anybody can make request to the weweb’s endpoint that will not do any auth check and just forward the request (and for google all of them will come from the allowed ip address).
If you want to protect it this way you should use your own backend and handle the auth with the requests from weweb, then make the request to google and return the response to the app.

1 Like

Good point there, as usually, the backend route is the safest thing. The CORS is just making it one step tougher :smiley:

Thanks for clarifying. If I have all the components that use these API calls on auth restricted pages, is the risk shifted to only a rogue paying customer trying to steal the key?

If the key is meant to be secret and never be shared with the user then you need to use a secure server. If the key is meant to be used in the client you are ok in using it directly. Good services have good docs that you want to check for best practices.
This page may be useful

1 Like