Restricting Google API Keys: HTTP referrers (websites)

[Matthew Parkes]

I've recently migrated my existing appengine application to use a API Key when using Google geocode and Timezone API calls as per the new pay per use API requests.

My problem is that when reading the best practices in regards to API keys, they talk about securing you API keys with various Restrictions.  Since I'm using appengine to request the Google apis via a URLFetch call I've opted to use the HTTP Referrers method of securing my key.  After doing some research I realize this can be spoofed, but some restrictions is better than none.

The problem is, I cannot seem to figure out what URL to put in the "Accept requests from these HTTP referrers (websites) (Optional)"  box.  My requests to the Google API's are only ever coming from my backend so I'd like to restrict my key usage to the Google appengine URL of my project.  However I've tried various combinations of *[APPID].appspot.com * but I always get an INVALID REQUEST upon requesting the API with restriction enabled. I cannot seem to find any documentation on how to restrict these API calls to the appengine server.  Since the IP of appengine server is constantly changing (I'm assuming) I can't use that.

Any help is greatly appreciated.

Thanks,

Matt

[David (Google Cloud Support)]

Hello Matthew,

This is the correct way to enter the HTTP referrers in the field:

 

https://[Your App ID].appspot.com/*

http://[Your App ID].appspot.com/*

However, as stated in this document, web service APIs need to use APIs keys restricted to IP addresses so you won’t be able to restrict your API key using an HTTP referer. Because it would not make sense to set an IP address based restriction on App Engine since addresses are not static, as a workaround, you could make these calls from another location and set an API key restriction based on an IP address which should be static.