How to secure a Google Maps API key

Our Local SEO plugin allows you to add Google Maps API keys. To prevent quota theft, secure your API key following these best practices. There are two types of restrictions: application restrictions and API restrictions. In this article, we’ll explore both of these restrictions. If you need help setting up your key, check out our guide for generating and setting up a Google Maps API key first.

Application restrictions

Our Local SEO plugin uses a Google Maps Javascript API (browser) key. The browser key should be restricted using the HTTP referrer restrictions. We’ll explore what this means below.

Javascript API (browser) key: HTTP restrictions

For the Google Maps Javascript API (browser) key, please enter the correct HTTP referrers, which is most commonly used in this format:

https://example.com
https://example.com/*

There are other options depending on your preferred URL format. Learn more here. If you are unsure as to what HTTP referrer to add, please contact your web host or server admin.

API restrictions

The Yoast Local SEO plugin uses the following APIs:

Maps JavaScript API (browser key)
Directions API (browser key)
Timezone API (browser key)
Geocoding API (server key)

How to remove Google Maps API restrictions

We highly recommend securing your API key to prevent others from using your quota. The downfall is that incorrect restrictions can cause the maps to fail. Temporarily removing the restrictions will help identify if the restrictions are causing unexpected behaviors.

Go to Google API Console
Select your site project
Select your API key
Under Application restrictions, select None
Under API restrictions, select Don’t restrict key
Click Save
This may take some time.
From your homepage, go to the page where your map should appear
If the map appears, the restrictions were invalid. Please re-add the restrictions one option at a time to determine which restriction caused the map to not appear.