[Beta9.1] Security Issue! - our Google Maps API key is being exposed on our website when it should be held as a private secret

This is not a bug and just the way how the internet works 😂 You should use the Google settings to restrict it for your domain/ip address, see also their recommendations section in the docs: 

https://developers.google.com/maps/documentation/javascript/get-api-key

2 minutes ago, Daniel F said:

You should use the Google settings to restrict it for your domain/ip address

Daniel F,

Thanks for your response - but I believe that will not work.

The whole point is that the request to Google Maps API is being made from the browser under V5 and not from the server. (Presumably, under V4 the request was being made from the server so your advice would have worked.) The browser of "mr/mrs hacker" is not in our server's domain so if we did what you advise then they would be blocked. Unfortunately, the browsers of all our members are also not in our server's domain so they would also be blocked.

Following your advice, I'm not sure how that differs from disabling Google Maps for all users?

John

OK, I have to admit that I'm not sure about this now, I'll reopen this one for further review next week once I'm back in the office:D 

Daniel F,

Thanks very much for your update.

😉

John