Html 如何安全地使用 Google API 密钥
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/39625587/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I securely use Google API Keys
提问by Hyman O
So I am using the Google Maps API on my first project that I am doing... So yes I am new and I am sorry if this is basic or obvious but I haven't been able to find a clear answer or direction. Below is the documentation I found from Google about securely using the API Key.
所以我在我正在做的第一个项目中使用谷歌地图 API...所以是的,我是新手,如果这是基本的或明显的,我很抱歉,但我一直无法找到明确的答案或方向。以下是我从 Google 找到的有关安全使用 API 密钥的文档。
Best practices for securely using API keys
安全使用 API 密钥的最佳实践
When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:
在应用程序中使用 API 密钥时,请注意确保它们的安全。公开披露您的凭据可能会导致您的帐户被盗用,这可能会导致您的帐户产生意外费用。为确保您的 API 密钥安全,请遵循以下最佳实践:
Do not embed API keys directly in code: API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree. Do not store API keys in files inside your application's source tree: If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub. Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them: By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key. Delete unneeded API keys: To minimize your exposure to attack, delete any API keys that you no longer need. Regenerate your API keys periodically: You can regenerate API keys from the Cloud Platform Console Credentials page by clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys. Review your code before publicly releasing it: Ensure that your code does not contain API keys or any other private information before you make your code publicly available.
不要直接在代码中嵌入 API 密钥:嵌入在代码中的 API 密钥可能会意外暴露给公众,例如,如果您忘记从共享的代码中删除密钥。不要将 API 密钥嵌入到应用程序中,而是将它们存储在环境变量中或应用程序源代码树之外的文件中。不要将 API 密钥存储在应用程序源代码树内的文件中:如果将 API 密钥存储在文件中,请将文件保存在应用程序源代码树之外,以帮助确保您的密钥不会最终出现在源代码控制系统中。如果您使用公共源代码管理系统(如 GitHub),这一点尤其重要。限制您的 API 密钥仅由需要它们的 IP 地址、引用 URL 和移动应用程序使用:通过限制 IP 地址、引用 URL、和可以使用每个密钥的移动应用程序,您可以减少受损 API 密钥的影响。您可以通过打开 Credentials 页面,然后使用所需设置创建新的 API 密钥,或编辑 API 密钥的设置,从控制台指定可以使用每个密钥的主机和应用程序。删除不需要的 API 密钥:为了尽量减少受到攻击的风险,请删除不再需要的任何 API 密钥。定期重新生成您的 API 密钥:您可以从 Cloud Platform Console Credentials 页面通过单击为每个密钥重新生成密钥来重新生成 API 密钥。然后,更新您的应用程序以使用新生成的密钥。在您生成替换密钥后,您的旧密钥将继续工作 24 小时。在公开发布之前检查您的代码:
Now my problem is I can't figure out how to incorporate the Google Map on my website without directly putting it in the code. Right now my API is in my index.html like this:
现在我的问题是我无法弄清楚如何在不直接将其放入代码的情况下将谷歌地图合并到我的网站上。现在我的 API 在我的 index.html 中是这样的:
<script async defer
src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap">
</script>
But again this is directly in my code for the world to see which I believe is the wrong way.
但这又是直接在我的代码中,让全世界看看我认为哪种方式是错误的。
采纳答案by geocodezip
For the Google Maps Javascript API v3 the keys mustbe public on you page. The applicable text is:
对于 Google Maps Javascript API v3,密钥必须在您的页面上公开。适用的文本是:
Restrict your API keys to be used by only theIP addresses, referrer URLs, and mobile apps that need them
限制您的 API 密钥仅由需要它们的IP 地址、引用 URL和移动应用程序使用
Go to the Google API Console and generate a key, restricting it to URLs that you own (or want to put maps on) to prevent quota "theft".
转到 Google API 控制台并生成一个密钥,将其限制为您拥有(或想要放置地图)的 URL,以防止配额“盗窃”。
回答by Ville N.
The API key best practices articleyou refer to only provides general guidelines for using API keys, and with certain end-user facing APIs, such as the Google Maps JavaScript API, you cannot avoid exposing the API key to the end user.
您参考的API 密钥最佳实践文章仅提供使用 API 密钥的一般指南,对于某些面向最终用户的 API,例如 Google Maps JavaScript API,您无法避免将 API 密钥暴露给最终用户。
In a public Maps JavaScript API app it is therefore strongly recommended to add a referrer restriction to any key used in a production system, especially public facing ones, and only authorize the domain, host or even full file URL of your app.
因此,在公共 Maps JavaScript API 应用程序中,强烈建议为生产系统中使用的任何密钥添加引用限制,尤其是面向公众的密钥,并且仅授权域、主机甚至是应用程序的完整文件 URL。
When you create your key in the Google API Consoleand choose the set up credentials for the Maps JavaScript API, the wizard will instruct you how to secure the key, and will prompt you for URLs you wish to authorize.
当您在Google API 控制台中创建您的密钥并为 Maps JavaScript API 选择设置凭据时,向导将指导您如何保护密钥,并提示您输入您希望授权的 URL。
