Forum Documentation Showcase Pricing Learn more

Setting up Google API Key's Restrictions


#1

I am running into an issue configuring my Google Geocode and Maps APIs. I have read in the Google’s documentation that

Before moving your mobile app, website, or web server to production, it is recommended that you secure your API key by adding a restriction …

So if I set up the restriction to be HTTP referrers, and configure the referrer to be my domain, Maps in my Bubble app show correctly, and addresses, when used in fields, are correctly autocompleted. However, if I try to capture the current user’s location as follows:

2018-12-02_19-38-14

I get the following error:

Error hitting Google Geocode API: API keys with referer restrictions cannot be used with this API.

Of course that if I remove the Key’s restrictions then all works as expected.

Can anyone shine some light into what am I doing wrong? Any help is much appreciated.

Thanks!


#2

The way you are capturing the user location is via a server call, so you’d want an IP address restriction instead of a HTTP referrer restriction.

Because each key can only have one restriction type, you’ll probably want a second key for the server access.


#3

Thanks @mishav, that makes sense.

So, although unrelated to the API itself, do you know how can I find the IP address for my bubble App? I tried the DNS numbers configured in the Domain (@/ww) but that did not work.

Thanks!


#4

Bubble support should be able to give the range of possible IP addresses for your app.


#5

Static IPs are only available on a Dedicated plan. For Google Maps, we recommend users to use the http referrers method.


#6

@neerja how about the range of IP addresses across all Bubble apps, similar to what you provide for firewall access?

Its not as restrictive as a single app, but would be better than completely open.


#7

I agree with @mishav , having these API keys completely open is a security risk, per Google’s API documentation:

An API key is unrestricted by default. Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. For production applications, set both application and API restrictions.

@neerja, do you have any suggestions on how to make production applications secure in a Personal app plan?


#8

@mishav Our team can review this request but this will not be a quick change.
@malife Google Maps / Geocoding API keys are not exposed. You are entering it in your app settings which along with the rest of the editor should not be visible if the app is set as private.


#9

Hello @neerja I am not concerned about the Bubble app, but rather the software once its deployed and in production. So I am not sure I agree.

The Google Maps API key is clearly visible to anyone rendering the page:

Now, that key I can restrict by HTTP referrer and everything still works. Having said that, I was not able to find the Google Geocode API key .

Can anyone confirm that the Google Geocode API key will not be visible in the page’s source?