如何谷歌地图保护他们的API密钥？如何使类似的东西？ [英] How does Google Maps secure their API Key? How to make something similar?

问题描述

目前谷歌要求你创建一个API密钥是具体到那里的地图将提供服务的域。谷歌是如何执行的？我想要做同样的事情。

Currently Google requires you to create an API Key that is specific to the domain of where the map will be served from. How does Google enforce this? I want to do the same thing.

我揭露了一个API为我服务，但要允许客户端只需从服务器通过JavaScript嵌入到API调用，而不是。我可能只是一个随机令牌，但当然这可以通过任何人都希望在客户机上的code很容易被欺骗。

I expose an API for my service but want to allow clients to embed calls to the API via javascript and not just from the server. I could secure it with just a random token but of course this could be easily spoofed by anyone looking at the code on the client machine.

我始终明白这个概念是不可能的，但不知何故在谷歌执行它做得很好。

I always understood this concept to not be possible but somehow Google does a good job at enforcing it.

编辑 - 这听起来像谷歌真的什么也没做毕竟惊人。他们的API是最有可能只是为了追踪，并没有真正以保证它们的API用于通过与钥匙的人。

Edit - It sounds like Google really hasn't done anything amazing after all. Their API is most likely just for tracking and not really to guarantee that their API is used by the person with the key.

推荐答案

我很肯定他们所使用的引荐来源网址，以确定该呼叫的来源。如果域名不匹配什么指定给该键，它是一个无效的请求。

I'm quite certain they use the REFERER URL to determine where the call is coming from. If the domain doesn't match what's assigned to the key, it's an invalid request.

对于一个实际的例子，使用PHP可以检查使用域 $ _ SERVER ['HTTP_REFERER'] 来检查引荐。如果域匹配，返回一个有效的响应。如果没有，你可以返回一个401未授权或其他反应。

For a practical example, using PHP you can check the domain using $_SERVER['HTTP_REFERER'] to check the referer. If the domain matches, return a valid response. If it doesn't, you can return a 401 Unauthorized or other response.

这篇关于如何谷歌地图保护他们的API密钥？如何使类似的东西？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！