protecting google api keys

For those of you in the self-service Store Locator Plus® WordPress plugins camp you are going to want to spend time protecting your Google API Keys.    For those using our Store Locator Plus® managed SaaS service, this is yet another article you can skip.

The basic configuration of Google API Keys tells you to turn off ALL restrictions on the first API key you setup with Google.    Turns out a lot of people have issues with configuring the keys properly and getting them put in the right place. 

To make matters more complicated, some lower-end web hosting companies don’t understand security and in turn shut off critical web services that do nothing to improve security; Like disabling all communication between the web server and Google.  That breaks things like the ability to Geocode locations in Store Locator Plus®.

This article is here to tell our WordPress plugin users how to properly secure their Google API keys for web hosts are configured properly.

Getting Your API Keys

If you’ve not already done so, go read the setting up your API keys and Google billing account.    Assuming you already did that, let’s add some security so anyone that visits your maps page can’t go steal your API key and start using it on their site.

Start by logging into your Google Console account.   Go to the “key icon” for the credentials section once you are logged in.

Google API Credentials

You will likely see a single API key.   Edit this key and give it a new name “Browser Key”.

Now add a second credential with “Create Credentials” and name this credential “Geocoding Key”.  

We are going to assume that since you are creating this under the same Google account where you created your initial key that the JavaScript Maps library and Geocoding library are already enabled.    

Adding Keys To Store Locator Plus

Now log into your WordPress site as an admin and go to Store Locator Plus® | General | Server.   Make sure you copy your Google API key you named “Browser Key” into the Browser Key field.    Copy the one you named “Geocoding Key” to the Geocoding field.

Test the new geocoding key is working by changing your Center Map At setting under Store Locator Plus® | Settings | Map — if it is not working you’ve done something wrong or your web host is blocking Google communications (in which case your original single API key probably was not working either).

Go Secure Your Browser Key

So now the secret sauce to prevent people from stealing your keys.    Let’s start with the Browser Key where you will add an HTTP Referrer restriction.   Since this is the key that is exposed to every visitor on your site it is the most important to restrict.

When the JavaScript Map is loaded on your site,  your SITE VISITOR’s web browser runs the Google JavaScript code.    Their browser is going to send the request to Google saying “please draw the map”.  When it does this it is going to include your API key — so Google can bill you for drawing the map on your site.

When this request is sent a few things are sent along with that request.  Along with your site visitor’s IP address (which is different for every visitor) there is something else being sent — the web address the user is looking at when the request is made.    This will be the address where your map appears as in or something like that.      The domain name part is sent to Google as the HTTP Referrer.

This is what we are going to use to prevent other websites from installing your Google Key and having you pay to draw maps on their site.    

Go to the Google Console and find that Browser Key.   Edit the key and set it to add an HTTP Referrer restriction.   This is important for protecting Google API Keys. The restriction should include your website address.  The more specific the better — but remember if you make it TOO specific it may not work.  A good rule is to use a partially generic domain name like * as the restriction.

What About The Geocoding Key?

You do not need to restrict the Geocoding key.   This key is never exposed to the public.   The Geocoding key is saved in your WordPress install and is only communicated from your web host to Google directly using a secure channel (https protocol).    

Theoretically someone could listen to your hosting providers network and try to extract the key from an encrypted channel which is very unlikely. 

More likely is that someone gains admin access to your site or the WordPress database and grabs the key from there.  In which case you have much bigger problems to worry about.

If you want to go the extra mile and secure the Geocoding key you can use a similar process to securing the Browser Key but instead edit the Geocoding Key and set an IP based restriction.   

The IP address must match the IP address your web hosts uses to talk to Google.   For shared hosting companies this may NOT be the same IP address that is used to access your site.   For many cloud based services this will even be part of a large Class C or subnet IP block which means you’ll need to know ALL the IP addresses your host is using.    These days the IP address can even be an IPV6 format.  

Yes you can use CIDR notation and mix-and-match IPV6 and IPV4 addresses.  If all of this confuses you and a simple IP address restriction seems to break your Geocoding requests sometimes (or always) leave the restriction off.

Protecting Google API Keys With SaaS

Tired of dealing with Google? Let us manage Google API Key security with our fully managed Store Locator Plus® SaaS offering.