问题描述
我想知道我的Google地图API密钥是否安全,我现在使用它的方式。因为我有一个Cordova应用程序与谷歌地图,我已经生成了一个API密钥。
I wonder if my Google maps API key is safe the way I use it now. Because I have a Cordova application with Google maps, I have generated an API key. I cannot white-list the key to my domain, because it runs client side on the phone.
此外,我的API密钥对于任何解压我的应用程序并读取的人都是可见的index.html,或者监听应用程序发出的Web请求。
Also my API key is visible for anyone who unpacks my app and read the index.html, or listen to the web requests that the app makes.
有没有办法保护我的API密钥?如果没有,可以安全地使用Google地图或使用API密钥进行身份验证的任何其他第三方API?
Is there any way to protect my API key? And if there isn't, it is safe to use Google maps, or any other third party API that uses a API key for authentication?
推荐答案
我看到两个可能的解决方案,你的问题。这两个我已经亲自实现了(不是使用GMaps),但仍然有一些缺点。
I see two possible solutions to your problem. Both of them I have already personally implemented (not with GMaps though) but still have some downsides.
(1)您可以使用后端技术添加API密钥您的请求。为此,建议使用像Apache2 mod_proxy和mod_rewrite这样的组合。在您的应用中,您可以使用指向您的代理服务器的网址,即,并将此网址mod_rewrite设置为
(1) You can use a backend technology to add in API keys to your requests. For this it is advisable to use a combination of something like Apache2 mod_proxy and mod_rewrite. In your application you then use URLs that point to your proxy server i.e. https://yourserver.com/js/googleapis/maps/api/js and make mod_rewrite this URLs to something like https://maps.googleapis.com/maps/api/js?key=API_KEY
mod_rewrite(未测试)的规则可能看起来像这样:
A rule for mod_rewrite (not tested) could look like this:
RewriteCond %{QUERY_STRING} ^$
RewirteRule ^/googleapis/maps/api/js (.*)$ https://https://maps.googleapis.com/maps/api/js?key=API_KEY
我想你得到了想法。这种方法的最大优点是,您可以在您控制的服务器上完全隐藏您的私人信息。缺点是:如果您的应用程序导致高流量,您很可能在代理机器上遇到高流量。此外,如果攻击者找出您的Google Maps API代理端点的网址,他们将很容易通过您的服务检索GMaps API。
I think you get the idea. The big advantage of this approach is that you can completely hide your private information on a server you control. The downsides are: If your app causes high traffic you will most likely experience high traffic on the proxy machine. Further if attackers figure out the URL to your Google Maps API proxy endpoint it will be easy for them to retrieve the GMaps API through your service.
(2)第二个选项将创建一个服务来检索您的API密钥。假设您的应用程序已经需要某种形式的身份验证,无论如何,您可以在API密钥服务仅向注册和身份验证的用户提供API密钥的路上。
(2) The second option would be to create a service to retrieve your API keys. Assuming your application already needs some form of authentication anyways you cold go a road where the API key service hands out the API key only to registered and authenticated users.
有关于更好地调试移动Web应用程序的工具的缺点。也就是说在桌面上使用MacOS,XCode和Safari的攻击者可以为您的Cordova应用程序建立调试会话,并对您在App中运行的JS代码进行步调试。这意味着你在Cordova领域做的任何伸展都很容易附加到你的应用程序和读取变量。
Both approaches will have their downsides regarding better tooling for debugging mobile-web applications. I.e. an attacker using MacOS, XCode and Safari on a desktop could establish a debugging session to your Cordova application and step debug the JS code that runs inside your App. Which means whatever stretch you make in the Cordova arena it is quite easy to attach to your App and read variables.
这篇关于科尔多瓦google maps api键足够安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!