Note: The following instructions are for HTTP Referrer restrictions (web applications) but the same principles can be applied to server-side API keys with IP restrictions.
We recommend creating a dedicated API key for each environment and applying API key restrictions. Setting API key restrictions for deployed environments (dev, test, prod) is intuitive, but for local development, a good practice is not so obvious. Here are a couple of clever techniques to help secure an API key for local development.
- Restrict the API key to an obscure port such as 4489 or 5012. Do NOT use a familiar port such as 443, 8000, 5000, 8080 etc. Run the local web server for your application at this port.
- Edit your hosts file and point 127.0.0.1 to an alias you set for the local machine. For example "razorbeam".
Hosts file example with alias "razorbeam"
$ cat /etc/hosts
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
- Add an API key restriction for the alias + port combination. Do NOT use "localhost".