How to secure a Google Maps API Key

To prevent quota theft, secure your API key following these best practices. There are two types of restrictions, application and API.

Application Restrictions

Yoast SEO: Local uses two API keys, a Google Maps Javascript API (browser) key and a Google Maps Geocoding API (server) key.

The browser key should be restricted using the HTTP referrer restrictions whereas the server API should be restricted using an IP address.

HTTP Restrictions

For the Google Maps Javascript API (browser) key, please enter the correct HTTP referrers which is most commonly in this format:

  • https://example.com 
  •  https://example.com/*

There are other options depending on your preferred URL format. Learn more here.

If you are unsure as to what HTTP referrer to add, please contact your webhost or server admin.

IP restrictions

For the Google Maps Geocoding API (server) key, please enter a single IP or a range of IPs. Google provides the following as valid IP restriction examples:

192.168.0.1, 172.16.0.0/12, 2001:db8::1 or 2001:db8::/64

If you are unsure as to what IP address to add, please contact your webhost or server admin.

API Restrictions

Yoast SEO: Local uses the following APIs:

  • Maps JavaScript API (browser key)
  • Directions API (browser key)
  • Timezone API (browser key)
  • Geocoding API (server key)

Removing Google Maps API Restrictions

We highly recommend securing your API key to prevent others from using your quota. The downfall is that incorrect restrictions can cause the maps to fail. Temporarily removing the restrictions will help identify if the restrictions are causing unexpected behaviors.

  1. Go to Google API Console.

    If prompted, log in.

  2. Select your site project.

  3. Click on the name of your API  key.

  4. Click on the 'Application restrictions' tab.

  5. Select 'None'

  6. Click on the 'API restrictions' tab.

  7. Click the 'Delete' icon for each API restriction.

  8. Click 'Save'.

    Google says it may take up to 5 minutes for the settings to take effect.

After 5 minutes, start from your homepage and browse to where the map should appear. If the map appears, the restrictions were invalid.

Was this article helpful? ·