I have a website that use Nuxt for server render and deployed using Cloud Run.
It pulls the YouTube videos of a channel using the YouTube Data API key and pre-rendered it before send to the browser. This is for SEO purpose.
Currently I using the API key restriction option HTTP referrers (web sites) to only allow access from my website.
But on the server when it pre-rendered the API is blocked.
Is there a good solution to add the referrer and allow for Cloud Run to use the API key?
I found a solution which is in my opinion is not the best yet.
I have 2 separate key Youtube API server and Youtube API web.
server key has no restriction
web key is restrict to HTTP referrers (web sites)
In my Nuxt app, when query for server side render, I use the server key. Then when it passed to client side. It use the web key.
This way I protect the "no restriction" key.
I'm not sure any better solution but I imagine in the future, server key without restrictions can be use for multiple services other than Youtube API and only server side have access to that key.
Related
I'm using the OpenTok .js API to build a web app.
The TokBox "Security Best Practices" doc (https://tokbox.com/developer/guides/security/#best-practices) says "Keep the API key and secret private and secure"
I can keep the API "secret" out of the browser app, but as far as I can tell, the API Key has to be available to the browser, in order to make calls to OT.initSession().
Am I missing something, or is the TokBox documentation just misleading?
Manik here from the OpenTok team.
You are correct, the API Key will be available on the client side (browser, mobile device, etc) as expected. This is not an issue because you need the API Key & API Secret combination to be able to create sessions, generate tokens, etc.
For security purposes, you should not expose the combination of API Key and API Secret.
I need to list/change the Google API key restriction by Google API or CI.
I tried to add HTTP referrer restriction to Google API key by Node JS API or gcloud CI, but I only got to list the "service account keys, however I need to list and change the "API keys".
Currently, is possible add restriction by the Google Cloud Console, but like I need to change the API key restriction many times I need to automate this.
You cannot; there is no public API for managing API Keys (or OAuth client IDs).
Consider filing a feature request on Google's public issue tracker (link)
I am asking this question after extensively reading Google's recommended approach, but I do have a problem with all these approaches, let me explain the situation.
I use combination of geolocation and geocoding API to know the approximate state location and then display relevant content. The geolocation API needs to be called obviously from the browser to get appropriate geolocation of the user. Google provides HTTP Referrer based restriction for this API. I know someone can easily spoof the referrer and make calls with the same API key. I do not see a huge advantage even though Google recommends this.
On the other hand Google does not allow HTTP Referrer for geocoding API, but it does allow that for the MAPS JavaScript API. But again if you are not using Google maps then using that API is violation of Google's terms. Now google recommends to move the code that uses geocoding web services API to be on the back-end so that your key will be protected. But since ultimately I need to deliver the result to a front-end web application that is publicly accessible and I can only make a browser based Ajax call to first get the geolocation to feed to geocoding, I ultimately need to make an Ajax call to get my geocoding information. Then someone can easily just latch onto my end-point to piggy back on and call the geocoding API as much as they want. So for situations like this I want to know what is the ideal and secured way to deal with. May be there are other APIs that might be an ideal situation for this.
In my case, I am not doing any maps so it's all purely server-side to get latitudes, longitudes and driving distance between two points. This today from Google support which might help and if you're using maps, then the links may provide further insight.
Regarding API restrictions, please note that HTTP referrers will not
work on Geocoding API since HTTP referrers can only be used for client
side services. In other words, Geocoding is a web service API and
should only be used on server-side implementation. IP address
restrictions should be used for web service APIs. However, if you are
using the Geocoding API in a website, IP address restriction would not
work. Please check the suitable restrictions for each API in the
following link:
https://developers.google.com/maps/api-key-best-practices#api_key_table
To make this work, you should create a separate key and use the new
one in your Geocoding API request URL. You may add a restriction to
this key by using an "API restriction", and restrict it to Geocoding
API only. If you don't want to create another key, you may keep using
your current one but make sure to change your implementation and use
the client side Geocoding service from the Maps JavaScript API. In
that case, please refer to this documentation:
https://developers.google.com/maps/documentation/javascript/geocoding
Another suggestion would be to get a static IP address from your ISP,
especially if you are planning to use it on a public website. For
development purposes, a sound solution would be to get three separate
keys: one for the staging and tests, another for server-side requests
and a third one for client-side requests. That way, you are making
sure your API key is protected.
I'm trying to build an app with comment system and wanna know if
is there any safe way to use the mongolab api without share my key with everyone?
if not what you guys recommend to use instead of mongolab api key with ajax.
Thanks.
Unfortunately there is no way to use the mLab Data API with Ajax and keep the API Key safe. We recommend implementing your own RESTful API server on top of your mLab database that can act as a gatekeeper to the database. Your client application would then make Ajax requests to the API server.
Although this tutorial uses Angular instead of Ajax, here is a good example of the architecture I've described: https://devcenter.heroku.com/articles/mean-apps-restful-api.
My single page app is hosted on Google's cloudstore. I love that I don't have to worry about a server. The app is, naturally, javascript heavy.
Now I would like to add a feature where users can store some data, generate a link to be shared with others and retrieve stored data. Think of a pastebin where some snippet of text is saved and a unique link is generated to be shared with others.
In fact, if it helps, think of this as my attempt to create a pastebin without having to setup a server.
It looks like Google's cloud datastore nosql solution is what I want. Given a key, it will return a snippet of text. However, all the examples on the documentation page imply that I have to setup a back end service using python, node, etc.
Questions:
Can't I just read and write from a web page, perhaps using ajax style http call (since I need to get and put text snippets once data has already been loaded)? I believe I can take care of cross-origin issues by changing some configs in the cloudstore static website server.
Obviously I don't want to serve any encryption keys from the web page. I'm hoping that since my site is served from Google as well, I can configure the nosql service handle permissions intelligently for this scenario.
Is there any documentation which shows how to do this correctly?
Google Datastore is not supposed to be used from client side, it's a served side database. You cannot do that w/o having server side code to authenticate, authorize and validate db related requests.
But there're an alternative. Firebase is a ready to use backend for client side applications, including Javascript apps. It's a separate project, that belongs to Google but not (yet?) part of Google Cloud. Take a look - https://www.firebase.com/
Although the API Rest is still beta, it is possible now to connect from a web client or anything RESTful capabilities. https://cloud.google.com/datastore/reference/rest/