I'm trying to program geocoding. I created API key, but when I add it into my website code I don't get anything, however when I don't use API everything works well. When I'm sending:
https://maps.googleapis.com/maps/api/geocode/json?address=".$adres."&key=KLUCZ_XXX
I get a response:
Browser API keys cannot have referer restrictions when used with this API.
If I use:
https://maps.googleapis.com/maps/api/geocode/json?address=".$adres"
The result is correct but the number of queries is limited per day.
Key constraint: referrals HTTP (Web) - set to the domain from which conjure inquiry. Interface Google Maps Geocoding API is turned on.
Does the API key has to be activated also somewhere else to work?
It sounds like you may be making the API call server side. I ran into this issue earlier today. Since you've placed a referrer restriction on your API key, it will be limited to executing on the browser with the web service APIs, including the Geocoding API. It didn't work for me even when manually setting the referrer in the request headers. You can find the other web service APIs on this page: https://developers.google.com/maps/web-services/
Important: If you are using any of the web service APIs with an API key that has referer restictions, your requests will fail with the error message: "API keys cannot have referer restrictions when used with this API." You should switch to using a server restriction.
You'll want to create a separate key to use server-side. You can change your restriction from a browser restriction to a server restriction by using IP addresses to restrict access, instead of browser referrers.
See this section in the Maps APIs FAQ on switching key type to a server restricted key: https://developers.google.com/maps/faq#switch-key-type
Alternatively, you can continue using a browser key and geocode client-side (JavaScript), then return the result to the backend via ajax.
If server-side geocoding is not an option, you should use the geocoder from the Google Javascript API. You can set HTTP referer restrictions on that API.
Google itself says to avoid the Non-Javascript Geocoder API for dynamic geocoding:
This service is generally designed for geocoding static
(known in advance) addresses for placement of application content on a
map; this service is not designed to respond in real time to user
input. For dynamic geocoding (for example, within a user interface
element), consult the documentation for the Maps JavaScript API client
geocoder and/or the Google Play services Location APIs.
This issue happens when you set the referrer for the server key to the domain name instead of the IP address, then it will show this message -
API keys with referer restrictions cannot be used with this API
.
For geocode API create a separate API key and restrict that API using IP address.
It worked for me.
Related
How can I protect an API request sent from a static site hosted on a CDN?
Use case:
A single page application using react is hosted on S3 + Cloudfront. The site calls the Yahoo Finance API to request some market data. The third-party API uses an API key to authenticate the requests. I can only store the third party API key in the static site making it available for anyone.
Considerations:
The static site and the API are not in the same cloud provider or service, so a solution using roles wouldn't work.
A Lambda (Function) proxy solution is my best choice at the moment IMO but this would still allow a request to be sent directly to the Lambda (Function).
The request to the function should also be secure, making the above option still vulnerable. This means that getting the URL to the Proxy Function from the source code and calling the Function is not acceptable either.
Looked around at some other questions posted but I haven't found one that addresses the particular circumstances stated here.
According to Cloud Endpoint docs, it seems like you have to pass the API key in the URL itself as a query parameter.
However, that makes us vulnerable to man in the middle attacks. I was wondering if there was a way to have it work by passing the API key in the header instead.
I am working on a simple app which does not have any sign-in methods integrated already. Is there any alternative way of authentication in Cloud Endpoints where I am not required to add any existing sign-in method but will be able to use API keys securely.
I tried to define it as described into the openAPI v2 spec
securityDefinitions:
api_key:
type: "apiKey"
name: "x-key"
in: "header"
And I got this error message when deploying my Cloud Endpoint definition.
WARNING: service.yaml: apiKey 'x-key' is ignored. Only apiKey with 'name' as 'key' and 'in' as 'query' are supported
So, it's not possible.
API key is generally not secured.
For server-to-server communication, one of the way to make it secured is using HTTPS and IP whitelisting.
However, for (browser or mobile client)-to-server communication, we need to store API key in client and of course it will be exposed to people.
For secured client-server communication for Google Cloud Endpoints, please try adding authentication method like Firebase or Google ID.
I am finding that actually, it is possible (at least with Google API Gateway, I might try later to see how it goes with Cloud Endpoints).
Please note, the name to use for the header is:
'X-API-Key' (or 'x-api-key', it is not case sensitive).
It works fine for me like that.
Yes, it is possible to specify the API key in the header.
Here is an excerpt from Google's documentation on API key definition limitations:
When specifying an API key in the security definitions object in your OpenAPI document, Endpoints requires one of the following schemes:
The name is key and the in is query
The name is api_key and the in is query
The name is x-api-key and the in is header
Refer this link for more information and examples:
https://cloud.google.com/endpoints/docs/openapi/openapi-limitations
I have hosted a S3 static site into CloudFront. That site using rest api deployed into api gateway. API gateway has not access control.
I want to protect my api from being accessed by others. Only my static site can access it. I know I can use api key but that could expose by browser console which is not expected.
Is there other way to control my api access?
Thanks in advance
I have a similar issue as well. It seems like using referer or CORS restrictions are the best way to go. However, in practice I haven't been able to make it work after trying both CORS and referer restrictions. API Gateway has automatic protection against malicious behavior like DDOS attacks according to their FAQs, but it is disheartening that I haven't found a specific solution for protecting my API gateway that is only used for my S3/Cloudfront static site.
Google Cloud allows you to use their API keys on the frontend for integrations with services like Google Maps. The way they protect those keys is through restricting the API keys to certain domains. Unfortunately, I haven't found similar functionality for AWS keys. As you know, the only way to throttle or put quotas on API gateway is through API keys, so it looks like this would be useless for a static site that can't expose those API keys publicly on the frontend.
It defeats the whole purpose of going completely serverless if I am unable to configure my serverless API Gateway the same way I could congfigure a normal backend EC2 server. For now, I've created billing alarms so I don't get surprised with a huge AWS bill if something goes wrong with my unprotected API gateway.
I have a Google API key. It works fine. I'm seeing traffic to the Google Geocoding API using that API key:
However, I added a restriction on the API key so that this traffic to Google Geocoding API should start denying all these requests:
Doing so has had no effect. The Google Geocoding API continues to see traffic. Why is it not denying these requests? Or is it and I'll always see traffic on that graph even if it's denying the requests? The Errors graph for that same key shows no data during that time period.
You have to also select "By credential" in the 2nd dropdown. Such an annoying design!
According to my Google API console my top referrer is https://www.googleapis.com which I assume is normal, but it's followed closely by http://blocvox.com which I don't know what they are and I am suspicious as to why they are consuming a lot of my requests and jeopardizing my capped usage.
How can I prevent this referrer from accessing my API?
Note: I am not using an API Key (which does support the blocking of referrers) I am using the oAuth method.
The details depend on what your API is written in, but most popular Web frameworks allow you to look at the referrer value for the HTTP request. You could go further; most Web front-end servers allow you to filter/discard/reject/redirect queries based on the referrer field.