I'm looking at the following guide: https://developers.google.com/youtube/v3/getting-started
The first step of interacting with YouTube's API is:
You need a Google Account to access the Google Developers Console, request an API key, and register your application.
And they continue on to show an example where they use the key:
URL: https://www.googleapis.com/youtube/v3/videos?id=7lCDEYXw3mM&key=YOUR_API_KEY &part=snippet,contentDetails,statistics,status
I have a client-side application which is used by many people. The application issues search requests to YouTube's API. YouTube's API has a request limit of 50 million requests per day.
Since it's a client-side application, my API key is embedded into the code.
Today, a malicious user scripted something to max out the requests:
I'm wondering what recourse I have to be able to defend against this sort of activity. Is my only option to host a server, route all needs for YouTube's API through my server, and deny requests when they come too frequently?
I have real concerns about implementing something like that. It would effectively double the wait time for every API request and also tax the server a seemingly unnecessary amount, but perhaps it is needed.
Do I have any other options available to me?
Thanks
This was due to a quota cost increase, it's temporarily reverted. We'll announce cost changes in http://apiblog.youtube.com/ and https://developers.google.com/youtube/v3/revision_history going forward.
Don't think it is a malicious user. I think something's wrong on YouTube's side, since I'm seeing exactly the same issue with API requests made from my app
You can use restriction to secure your API Key.
Use the REFERERS attribute of the public API key. Go to your project in console developers -> API&Auth -> Credentials
- If you use Key for browser applications,
REFERERSis a reference to a domain. - If you use Server key,
REFERERSis a reference to a IP. (ip of your server for example)
For example, if you use github.io to make live demo of an application, REFERERS will point on http://user.github.io/*
You can read more register your application
Use a server key if your application runs on a server. Do not use this key outside of your server code. For example, do not embed it in a web page. To prevent quota theft, restrict your key so that requests are only allowed from your servers' source IP addresses.
Use a browser key if your application runs on a client, such as a web browser. To prevent your key from being used on unauthorized sites, only allow referrals from domains you administer.
A screen to help you :
It appears to be a major bug. Same problem here - quota usage spiked like crazy starting on Sept. 3 and requests now cost WAY more than the documentation states.
Someone reported it as a defect in their bug tracking system. I suggest everyone affected go there and star the defect to help call attention to it:
I propose the following ideas:
- You can make sure the user accessing your page is a human (with Captcha, etc.)
- Hide your API call behind an AJAX call that is triggered by your front-end (like GET /callgoogleapi);
- The handler of AJAX call can set a frequency threshold, i.e. 2 requests per second. If too fast, the API call is not made, and AJAX replies a message like "User operation too fast".
That is correct. When you make your key make sure you use the REFERERS so that even if they do get your key it will not work for them!
We also see this error, it seems to be too large deviations. results Overview is 813.844, but the APIs are Used 49,379,348 of 50,000,000 requests today
来源:https://stackoverflow.com/questions/25657111/protecting-youtube-v3-api-key-in-a-client-side-application