Someone is using my Google Maps API Key
I noticed my monthly Google
Maps Static API Static Maps has been increasing on a monthly basis, from
30K -> 55K -> 80K (Check at Billing
-> Transactions). I switched all static map request code to MapBox and realize my Google
Maps Static API Static Maps didn’t decrease while my MapBox
Static Images API call is only around 30K.
I suspect someone is
stealing my API Key and try to check for some clue at Google Maps
-> Metrics and select
Maps Static API from the drop down. This dashboard only show the daily
Requests by API and
Requests by credential, but there is no report or logs which show where (which domain and url) and how the API is accessed.
Since I know the API is called using which credential, I go to the Credentials page to check if the credential is secured. It is secured with
Application restrictions: HTTP referrers (websites) with
Website restrictions on my domain name only (not even localhost). I
If you visit How do I securely use Google API Keys, you will see the first comment being
restricting it to URL isn't secure since http referrer can be easily spoofed. Reading further on Google Maps Platform best practices: Securing API keys when using Static Maps and Street View APIs, I found out that the request url can be signed using a secret key for added security.
The next step up is to sign your request url and disable/limit request to unsigned url (Google Maps -> Quota, select
Maps Static API and set requests limit of unsigned request to 0). Refer to Secure Google Maps Static API (Web) With Signed Url (Python).
For my case, I am temporary no longer using Google
Maps Static API, so I just disable the Maps Static API.