使用 google maps js API 时是否需要隐藏 API 密钥?如果是这样,如何? [英] Do I need to hide API key when using google maps js API? If so, how?
问题描述
根据 https://developers.google.com/maps/documentation/javascript/tutorial#HTML5 ,看来我可以将以下标签添加到我的 html 中并开始使用 maps js API.
According to https://developers.google.com/maps/documentation/javascript/tutorial#HTML5 , it seems I can add the following tag to my html and start using maps js API.
<script async defer
src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap">
</script>
但这会暴露我的 API 密钥.
But this will reveal my API key.
在google上搜索,在stackoverflow上浏览答案后,我觉得可能没有必要隐藏这个API key.我只需要在 google 上创建 API 密钥时设置引用者,如https://stackoverflow.com/a/2256312/1316649
After searching on google and browsing answers on stackoverflow, I feel that maybe there is no need to hide this API key. I just need to set the referer when I create the API key on google, as explained in https://stackoverflow.com/a/2256312/1316649
因此,即使其他人知道我的 API 密钥,他们也无法从其他域使用它.我说得对吗?
So, even others know my API key, they cannot use it from another domain. Am I right?
但谷歌说你不应该在代码中嵌入 API 密钥:https://support.google.com/cloud/answer/6310037
But google says you shouldn't embed API key in code: https://support.google.com/cloud/answer/6310037
那么,在使用 google maps js API 时是否需要隐藏 API 密钥?如果是,怎么办?
So, do I need to hide API key when using google maps js API? If so, how?
更新:API 密钥"是指浏览器 API 密钥.
Update: By 'API key', I meant browser API key.
推荐答案
您可以创建多个具有不同限制的 API 密钥以安全使用它们.为了嵌入地图,Google Maps 文档中包含有关创建正确受限的 API 密钥的说明,以便它不会被滥用于 获取 API 密钥 - 限制 API 密钥.在源代码中包含受限 API 密钥是可以的,因为不这样做就无法正确嵌入地图.
You can create multiple API keys with different restrictions to use them safely. For embedding a map, the Google Maps documentation has instructions for creating a correctly restricted API key so that it cannot be abused for other purposes at Get an API Key - Restricting API keys. It's OK to include a restricted API key in your source code, because you cannot embed a map properly without doing that anyway.
如果您需要服务器端 API 访问权限,您可以创建第二个限制较少的 API 密钥.那个应该保密.
If you need server-side API access, you can create a second API key with less restrictions. That one should be kept secret.
这篇关于使用 google maps js API 时是否需要隐藏 API 密钥?如果是这样,如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!