如何安全使用Google API密钥 [英] How do I securely use Google API Keys
问题描述
安全使用API密钥的最佳做法
在应用程序中使用API密钥时,请注意保持它们的安全。公开曝光您的凭据可能会导致您的帐户遭到入侵,这可能会导致您的帐户出现意外收费。为了保证您的API密钥安全,请遵循以下最佳实践:
不要直接在代码中嵌入API密钥:嵌入代码中的API密钥可能会意外暴露给公众例如,如果您忘记从共享的代码中删除密钥。不要将API密钥嵌入到应用程序中,而应将其存储在环境变量或应用程序源代码树之外的文件中。
不要将API密钥存储在应用程序源代码树中的文件中:如果将API密钥存储在文件中,请将这些文件保存在应用程序源代码树之外,以帮助确保您的密钥不会在源代码控制系统中结束。如果您使用公共源代码管理系统(如GitHub),这一点尤其重要。
限制您的API密钥仅供需要它们的IP地址,引用网址和移动应用程序使用:通过限制IP地址,引荐网址和可以使用每个密钥的移动应用程序,可以降低影响受损的API密钥。您可以通过打开Credentials页面,然后使用所需设置创建新API键或编辑API密钥设置来指定可以使用控制台中的每个密钥的主机和应用程序。
删除不需要的API密钥:为了最大限度地减少您受到攻击的风险,请删除不再需要的任何API密钥。
定期重新生成API密钥:您可以通过单击每个密钥的重新生成密钥,从Cloud Platform Console Credentials页面重新生成API密钥。然后,更新您的应用程序以使用新生成的密钥。生成更换密钥后,您的旧密钥将继续工作24小时。
在公开发布代码之前查看您的代码:在您公开发布代码之前,确保您的代码不包含API密钥或任何其他私人信息。
现在我的问题是我无法弄清楚如何将Google Map合并到我的网站上,而无需直接将其放入代码中。现在我的API位于我的index.html中,如下所示:
< script async defer
src =https ?://maps.googleapis.com/maps/api/js键= YOUR_API_KEY&安培;回调= initMap>
< / script>
但是,这又直接在我的代码中,让世界看到我认为是错误的方式。
对于Google Maps JavaScript API v3,键必须在您的网页上公开。
适用文本为:
限制您的API密钥仅供 IP地址使用,引用网址和移动应用需要它们 Google API控制台并生成密钥,并将其限制为您拥有(或想要放置地图)的URL以防止配额盗用。
So I am using the Google Maps API on my first project that I am doing... So yes I am new and I am sorry if this is basic or obvious but I haven't been able to find a clear answer or direction. Below is the documentation I found from Google about securely using the API Key.
Best practices for securely using API keys
When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:
Do not embed API keys directly in code: API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree. Do not store API keys in files inside your application's source tree: If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub. Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them: By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key. Delete unneeded API keys: To minimize your exposure to attack, delete any API keys that you no longer need. Regenerate your API keys periodically: You can regenerate API keys from the Cloud Platform Console Credentials page by clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys. Review your code before publicly releasing it: Ensure that your code does not contain API keys or any other private information before you make your code publicly available.
Now my problem is I can't figure out how to incorporate the Google Map on my website without directly putting it in the code. Right now my API is in my index.html like this:
<script async defer src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap"> </script>But again this is directly in my code for the world to see which I believe is the wrong way.
解决方案For the Google Maps Javascript API v3 the keys must be public on you page. The applicable text is:
Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them
Go to the Google API Console and generate a key, restricting it to URLs that you own (or want to put maps on) to prevent quota "theft".
这篇关于如何安全使用Google API密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
