Skip to Main Content
Customer Feedback

We love feedback from you on our products and the problems in your daily work that you would like us to solve. Please describe the challenge you're encountering and your desired outcome. Be as detailed as possible.

For technical issues or bugs please head to Support or our Developer Community. You can assign up to 10 votes in total. Thank you for your feedback.

Status explanation: 'Future Consideration' = Continuing to collect further feedback, not planned at this time. 'Investigating' = Prioritized for deeper customer and feasibility investigations ahead of planning development.

Status Gathering interest
Categories Technical
Created by Guest
Created on Jan 6, 2022

Google API Key (Security) - Allow separate Backend/Frontend keys to prevent API Hijacking

The Google API security best practices is to set HTTP referer application restrictions the for Maps Javascript API and Distance API. However, they recommend the IP address restriction for Geocoding, Places, and Geolocation API's. See https://developers.google.com/maps/api-security-best-practices#obfuscate-apikey for details on this. However, since there is only one OOTB settings value for Google API key values, and both the front-end maps and the backend geolocation admin button(s) use it -- that requires us to either set no restricitons on the key (opening up the customer to hijacking of the API key), not utilizing the geolocation features of the platform on the backend, or making a customization on EVERY project. Please make an enhancement that has a separate key for the maps on the front-end that can be HTTP referer restricted from the key used in the backend/admin side that is IP address restricted.