Setting up Google API Key's Restrictions

I am running into an issue configuring my Google Geocode and Maps APIs. I have read in the Google’s documentation that

Before moving your mobile app, website, or web server to production, it is recommended that you secure your API key by adding a restriction …

So if I set up the restriction to be HTTP referrers, and configure the referrer to be my domain, Maps in my Bubble app show correctly, and addresses, when used in fields, are correctly autocompleted. However, if I try to capture the current user’s location as follows:

2018-12-02_19-38-14

I get the following error:

Error hitting Google Geocode API: API keys with referer restrictions cannot be used with this API.

Of course that if I remove the Key’s restrictions then all works as expected.

Can anyone shine some light into what am I doing wrong? Any help is much appreciated.

Thanks!

3 Likes

The way you are capturing the user location is via a server call, so you’d want an IP address restriction instead of a HTTP referrer restriction.

Because each key can only have one restriction type, you’ll probably want a second key for the server access.

1 Like

Thanks @mishav, that makes sense.

So, although unrelated to the API itself, do you know how can I find the IP address for my bubble App? I tried the DNS numbers configured in the Domain (@/ww) but that did not work.

Thanks!

1 Like

Bubble support should be able to give the range of possible IP addresses for your app.

2 Likes

Static IPs are only available on a Dedicated plan. For Google Maps, we recommend users to use the http referrers method.

2 Likes

@neerja how about the range of IP addresses across all Bubble apps, similar to what you provide for firewall access?

Its not as restrictive as a single app, but would be better than completely open.

1 Like

I agree with @mishav , having these API keys completely open is a security risk, per Google’s API documentation:

An API key is unrestricted by default. Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. For production applications, set both application and API restrictions.

@neerja, do you have any suggestions on how to make production applications secure in a Personal app plan?

1 Like

@mishav Our team can review this request but this will not be a quick change.
@malife Google Maps / Geocoding API keys are not exposed. You are entering it in your app settings which along with the rest of the editor should not be visible if the app is set as private.

1 Like

Hello @neerja I am not concerned about the Bubble app, but rather the software once its deployed and in production. So I am not sure I agree.

The Google Maps API key is clearly visible to anyone rendering the page:

Now, that key I can restrict by HTTP referrer and everything still works. Having said that, I was not able to find the Google Geocode API key .

Can anyone confirm that the Google Geocode API key will not be visible in the page’s source?

3 Likes

Hi @malife,

I know this post is from a very long time ago, but I am wondering if you ever got a response as I am having the same problem?

I have configured my Google Geocoding and Google Maps APIs for my app (as 2 different API keys) and for my Google Maps API I am able to use HTTP referrers as a restriction and it works fine. However, for my Geocoding API, it only works when I take off the HTTP referrers restriction and thus I am forced to use it without any restriction. Like you, I am concerned that without this restriction, anyone could access and use my API key.

Like you mentioned on the post, when I look at the page’s source I am only able to see my Google Maps API key which is restricted, so it seems OK. It does not seem like my Geocoding API is visible so even though it is no restricted, it would seem not to be a security issue. However, it would be great if someone could confirm that there is no way to access Geocoding API keys?

I would appreciate your help!

Thanks,
Melissa

1 Like

Hello Melissa,
Unfortunately, I never heard back. One thing I can say is that my app has been out in the wild for a year or so and have not detected any miss use of my API key.

It would be good if someone from the Bubble team could confirm weather our understanding is correct.

Sorry I can’t be of much help this time.

1 Like

Thank you for the prompt response @malife, it is helpful to know that you haven’t identified miss uses after a year!

Hi @romanmg, sorry to bring you into this thread but I was wondering if you have any insight into this. To save you time, the question is really if you know if people can access a Google Geocoding API Key that is not restricted? We ask because it seems like Google does not allow HTTP referrers restriction on Geocoding API Keys.

Thank you!
Melissa

1 Like

Hi, so, in conclusion, you can’t enable HTTP referrers restriction on Geocoding API keys and Bubble is not going to do a thing about it?

1 Like

Any updates on this? Is there a way to use the server-side API in a secure way?

By the way, for client-side, when I turn on a restriction by domain (both mine and bubbles) it breaks the API. I’m maybe doing something wrong there, but from my research there’s no way to place a restriction from the server side unless paying for a dedicated IP. Is that correct?

is there still no fix for this, seems like quiet a big security concern?