Google Api key for localhost testing

[Richard Cheesmar]

I have setup an api key for using amongst others the Google Maps Api, and have setup referrers, including one for localhost on a specific port.

Two questions:

1. Does having a localhost referrer mean anyone can use the api key on another their own development environment
2. Do localhost calls eat up your free allowance?

Thanks

[Richard Cheesmar]

Oh, just thought of a third

3. Is it an absolute to have an api key, if so how come my website is working without at this point in time?

[Barry Hunter]

1. Does having a localhost referrer mean anyone can use the api key on another their own development environment

Yes. And add a signature to make it harder for others to 'abuse' your key. 

 

2. Do localhost calls eat up your free allowance?

Yes. AFAIK

 

3. Is it an absolute to have an api key, if so how come my website is working without at this point in time?

It depends in part on the specific API. Some are more stringent than others. 

 

[Richard Cheesmar]

Thanks Barry

However, I'm using the google maps and places javascript api so don't think you can sign those right?

On Tuesday, July 5, 2016 at 7:21:25 PM UTC+3, Richard Cheesmar wrote:

[Barry Hunter]

Hmm, yes, no signatures there. Even if did exist wouldnt really make sence. If someone viewed the source to get the key, they could get the siganture directly (the URL is no per request unique) 

But you get 25,000 map loads per day. You would need a be doing a absolute shedload of active development to burn though that.

The damage someone else can make to that quota is also limited. Would take some very dedicated engineering to use much of it. Even some sort of auto-refreshing page is likely to trigger other anti-abuse measures before can make a dent. 

The motivation to use your key is really low. As mentioned it bad as a DOS vector, and keys are very easy to obtain. Can even get away with loading the JS api without a key. 

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/976af81a-6108-4a5f-a4f2-d9e52a37124e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Richard Cheesmar]

Well, I can load the js without a key and it's working live, but somehow in development it's hit and miss.

I am using places autocomplete which works fine sometimes but not others. Funny, exactly the same code on two different pages works differently, one will provide the autocomplete all the time, the other on occasions...Absolutely no difference in the autocomplete setup code. Debugged the heck out of it, but works fine now with a key so...

Although the referrers can be spoofed, the one that annoys is the localhost. I would have assumed that there would be some form of getting around the eating up the quota on that one.

I need to research a bit more I guess.

Thanks again for your input

Cheers

On Tuesday, July 5, 2016 at 7:21:25 PM UTC+3, Richard Cheesmar wrote: