Some details to be aware of when setting HTTP Referer restrictions for API Keys:
- Restrictions without an http:// or https:// prefix will support both HTTP and HTTPS. To restrict to one or the other, make sure you include the scheme prefix in your URL.
- e.g. example.com/* will enable both HTTP and HTTPS access, https://example.com/* will require HTTPS
- A wildcard can only be used as the first subdomain in the host and/or the last segment of the path
- e.g. *.example.com/path/* is valid, but example.*.com/*/path/ is not
- Recent versions of Chrome do not send the path in HTTP referer headers
- Trailing slashes matter. If you need to support paths with and without trailing slashes, make sure you add both versions in your restriction list.
- e.g. if your restriction is example.com/path, example.com/path/ will be blocked
- Query strings are ignored when enforcing API Key restrictions (i.e. don't include query parameters in your restriction)
Please sign in to leave a comment.