The Google API security best practices is to set HTTP referer application restrictions the for Maps Javascript API and Distance API. However, they recommend the IP address restriction for Geocoding, Places, and Geolocation API's. See https://developers.google.com/maps/api-security-best-practices#obfuscate-apikey for details on this. However, since there is only one OOTB settings value for Google API key values, and both the front-end maps and the backend geolocation admin button(s use it -- that requires us to either set no restricitons on the key (opening up the customer to hijacking of the API key, not utilizing the geolocation features of the platform on the backend, or making a customization on EVERY project. Please make an enhancement that has a separate key for the maps on the front-end that can be HTTP referer restricted from the key used in the backend/admin side that is IP address restricted.