23Kas
API key embedded in clients: how to defend against over-usage?
I am new to client-side development and I have a naive question. Right now, I'm using Google APIs (the map ones). If I want my client-side application / webapp to display a map, I would include something like this in my index.html:
<script src="https://maps.googleapis.com/maps/api/js?key=MY_API_KEY"></script>
The API key in this snippet would have only the required permissions (let's say "get the map"). Even though the permissions of the key are restricted, it's still readable by an attacker. And every "get the map" action costs a bit of money.
How would I prevent an attacker from using this key to make millions of requests and drying my bank account?
