4 Replies Latest reply on Jan 27, 2017 2:12 PM by saeedma RSS
    ewertonm Creator

    Security on Google Maps extension

    Hello all,

     

    I modified the Google MAps extension to use the HeatMaps API's and create a heatmap based on some data input. It is working well but I have a questions regarding security: in order to make the authentication i changed the metadata.xml file from the extension to include the AppKey that is required for using these APIs.

    metadata.png

    What happens is that when I run the Mashup, the AppKey shows up in the developer console, which is definitely not secure.As this API usage has a quota, in case the key leaks it can create unwanted billing. It is possible to define which URLs are allowed in the key configuration but I still do not feel comfortable on publishing the AppKey out there.

    indexHTML.png

     

    Does anyone have an idea of how I could secure this information?

     

    Cheers

    Ewerton

      • Re: Security on Google Maps extension
        fnilsen Apprentice

        Hi Everton,

         

        Have you checked out the latest videos on how to integrate security into the mashup using Cryptosoft?  if you make a search for 'cryptosoft', you will find 6 videos, which may answer your questions. In short, the Cryptosoft extension allows you to encrypt and decrypt any data. Let me know what you think.

         

        Kind regards

        Frode

        • Re: Security on Google Maps extension
          saeedma Apprentice

          The Google API keys can also be secured from your Google account console so that it can only be used by certain IP addresses and referrer URLs.

           

          • Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them: By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.