Publicly Accessible Google API Key

I received a notice from Google today saying:

We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project…

It then listed my IDXPress site and the Google Maps API key it found.

When I checked the site, I found that the Google Maps API key was being appended as a query string variable to the following line:

<script src='//maps.googleapis.com/maps/api/js?key=<API Key was here>&libraries=drawing%2Cgeometry&ver=6.1.1' id='dsidxpress_google_maps_geocode_api-js'></script>

So it does look like the IDXPress Plugin is including Google Maps API keys in the clear if you add your Google Maps API key in Admin > IDX > More Options > Google Maps API Key. Not good.

My workaround was to delete the Google Maps API key from IDX settings and clear my cache. It looks like Google Maps is still working without the API key.

I also regenerated the API key as Google recommends.

Hopefully, IDXPress can come up with a way to use the Google Maps API without publicly publishing the API key.

It does look like you can restrict a Google Maps API key to specific domain, which is better than nothing, but still not optimal.