How to secure apiKey in here maps API

Question

With the old app_id and code_id setup we were able to use a whitelist in order to determine from which URLs request would be allowed using the credentials.

I cannot find any setting for this with the new apiKey. How are we supposed to secure this, as the key is appended to all request and thus visible to website-users.

score 2 · Answer 1 · answered Jan 15 '20 at 15:47

2

You mentioned you can't secure the key to domains - however I see it here:

answered Jan 15 '20 at 15:47

Raymond Camden

10,661
3
34
68

That is really strange, I do not have that setting. Maybe I need to remove my old App ID and App Code setup before ... – tommueller Jan 15 '20 at 16:34
Can you try and let me know if it helps? – Raymond Camden Jan 15 '20 at 20:16
Currently I cannot, because prod system is still using the old authentication ... – tommueller Jan 16 '20 at 09:13
Perhaps try a second account? That's probably against TOS, but I'd call that a minor issue. :) – Raymond Camden Jan 16 '20 at 18:02
I have the same problem. I created new freemium plan on 17th May, can't find domain whitelist. What is more interesting usage is not showing any activity. Sure enough I am only evaluating platform as an alternative to google maps so not a huge issue atm but still... – Pawel May 19 '20 at 09:25

score 2 · Answer 2 · answered May 19 '20 at 13:48

2

The best solution is to use a JavaScript key, where hosts protections are enabled. You can use the JavaScript keys to call the REST APIs. Our docs do not make this clear, but we've got a doc fix coming out to make it more obvious. But yes - just use the JavaScript key.

answered May 19 '20 at 13:48

Raymond Camden

10,661
3
34
68

Isn't it still insecure to have the HERE Maps API key in your frontend code, even when you've enabled host protections? Couldn't someone just steal the API key from the front end and send a request from their server, by changing the "referer" header or "host" header or whatever to look like the request is coming from our hosts? – Brian K Apr 12 '23 at 20:14
As far as I know that will not work. – Raymond Camden Apr 13 '23 at 21:47

score 0 · Answer 3 · answered Jan 14 '20 at 17:39

0

Recommend that you use Oauth 2.0 https://developer.here.com/documentation/authentication/dev_guide/topics/token.html

answered Jan 14 '20 at 17:39

Koustav Ray

1,112
13
26

How to secure apiKey in here maps API

3 Answers3