Google 地图如何保护其 API 密钥?如何制作类似的东西? [英] How does Google Maps secure their API Key? How to make something similar?

问题描述

目前，Google 要求您创建特定于提供地图的域的 API 密钥.Google 如何强制执行此操作?我想做同样的事情.

Currently Google requires you to create an API Key that is specific to the domain of where the map will be served from. How does Google enforce this? I want to do the same thing.

我为我的服务公开了一个 API，但希望允许客户端通过 javascript 而不仅仅是从服务器嵌入对 API 的调用.我可以只用一个随机令牌来保护它，但当然这很容易被任何查看客户端机器上代码的人欺骗.

I expose an API for my service but want to allow clients to embed calls to the API via javascript and not just from the server. I could secure it with just a random token but of course this could be easily spoofed by anyone looking at the code on the client machine.

我一直认为这个概念是不可能的，但不知何故，谷歌在执行它方面做得很好.

I always understood this concept to not be possible but somehow Google does a good job at enforcing it.

编辑 - 听起来谷歌毕竟没有做过任何了不起的事情.他们的 API 很可能只是用于跟踪，并不能真正保证他们的 API 被拥有密钥的人使用.

Edit - It sounds like Google really hasn't done anything amazing after all. Their API is most likely just for tracking and not really to guarantee that their API is used by the person with the key.

推荐答案

我很确定他们使用 REFERER URL 来确定呼叫来自何处.如果域与分配给密钥的内容不匹配，则请求无效.

I'm quite certain they use the REFERER URL to determine where the call is coming from. If the domain doesn't match what's assigned to the key, it's an invalid request.

举一个实际的例子，使用 PHP 你可以使用 $_SERVER['HTTP_REFERER'] 检查域来检查引用.如果域匹配，则返回有效响应.如果没有，您可以返回 401 Unauthorized 或其他响应.

For a practical example, using PHP you can check the domain using $_SERVER['HTTP_REFERER'] to check the referer. If the domain matches, return a valid response. If it doesn't, you can return a 401 Unauthorized or other response.

这篇关于Google 地图如何保护其 API 密钥?如何制作类似的东西?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！