How to protect and hide your Bing Maps key
Guides|by Clemens Schotte|6 April 2022
When using Bing Maps for Enterprise in your solution/application, you need a Basic Key (limited free trial) or an Enterprise key to use the services. For example, you would add a Bing Maps Key to the script URL loading the Bing Maps Web Control like this:
<script src="https://www.bing.com/api/maps/mapcontrol?callback=GetMap&key={your bing maps key}"></script>
Protecting
The Bing Maps key is mainly used to determine the usage and allow access to Bing Maps features. To protect your Bing Maps key, so it can't be misused on other websites, there is an option in the Bing Maps Dev Center to protect your key. This security option allows you to specify a list of referrers (website URLs) and IP numbers who can use your key. When at least one referrer rule is active, any requests that omit a referrer and any requests from non-approved referrers will be blocked, preventing others from using your key for requests. You can have up to 300 referrer and IP security rules per key.
Your key is now protected but is still visible in your website code and it is best practice is to never store any keys or certificates in source code. So how do you hide your Bing Maps key?
Hiding
To hide the Bing Maps key, you create a simple API endpoint that will only return the Bing Maps key if the request comes from a trusted referral URL. The Bing Maps Samples site is a good example that uses this approach.
In this example we are using an Azure Function written in C# that returns the Bing Maps key:
public static class GetBingMapsKey { private static readonly string[] allowd = { "https://samples.bingmapsportal.com/", "http://localhost"}; [FunctionName("GetBingMapsKey")] public static IActionResult Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req) { string referer = req.Headers["Referer"]; if (string.IsNullOrEmpty(referer)) return new UnauthorizedResult(); string result = Array.Find(allowd, site => referer.StartsWith(site, StringComparison.OrdinalIgnoreCase)); if (string.IsNullOrEmpty(result)) return new UnauthorizedResult(); // Get your Bing Maps key from https://www.bingmapsportal.com/ string key = Environment.GetEnvironmentVariable("BING_MAPS_SUBSCRIPTION_KEY"); return new OkObjectResult(key); } }
The Bing Maps key is stored server-side in this Azure Function Application settings field. We are using the GetEnvironmentVariable()
to get the key.
Next, we need to load the Bing Maps script and get the key from the API client-side. Finally, we use the following code snippet to load Bing Maps dynamically:
<script> // Dynamic load the Bing Maps Key and Script // Get your own Bing Maps key at https://www.microsoft.com/maps (async () => { let script = document.createElement("script"); let bingKey = await fetch("https://samples.azuremaps.com/api/GetBingMapsKey").then(r => r.text()).then(key => { return key }); script.setAttribute("src", `https://www.bing.com/api/maps/mapcontrol?callback=GetMap&key=${bingKey}`); document.body.appendChild(script); })(); </script>
The browser will run this code and create at runtime in the DOM the same line of script tag we have seen at the beginning of this blog post to load Bing Maps and the Key. An additional advantage is that the Bing Maps key is not stored in the source code anymore and that you can use IaC and build pipelines to deploy the solution.
Tip: Only hiding the Bing Maps key alone is not enough as a security measure. We recommend you still enable the security option in the Bing Maps Dev Center!
If you have any questions about this post or want to know how to get the most from Bing Maps, please contact our Mapping team.
Tel: +44 (0) 1364 654 100
Email: mapping@greymatter.com
Contact Grey Matter
If you have any questions or want some extra information, complete the form below and one of the team will be in touch ASAP. If you have a specific use case, please let us know and we'll help you find the right solution faster.
By submitting this form you are agreeing to our Privacy Policy and Website Terms of Use.
Clemens Schotte
I'm a Program Manager at Microsoft in the Maps & Geospatial Product Group, a dedicated and enthusiastic storyteller with a passion for technology and social interaction. I blog and talk about technology, gadgets, code, the web, space science and everything that interests me. I love to teach, motivate, and entertain people with technical details. I'm knowledgeable about Microsoft and Open-Source technology. I like to engage with people to exchange ideas and experiences. I'm spontaneous, flexible, and love the constant flow of innovation and new possibilities.
https://www.linkedin.com/in/cschotte/
Related News
Secure Impact Launches New Cyber Security Services
Cyber security consultancy, Secure Impact, has announced two new services to support clients looking to improve their security. Microsoft 365 Security Assessment The Microsoft 365 Security Assessment by SI targets the unique needs of cloud environments, highlighting the shared responsibility...
KnowBe4 Acquires Egress To Enhance Their Cyber Security Platform
Our partner, KnowBe4 has announced its acquisition of Egress, a cloud email security company. About KnowBe4 and Egress KnowBe4 is a leader in security awareness training, which helps organisations train their employees to identify and avoid cyber threats. Egress offers...
Microsoft Build – Online Session
21 - 23 May 2024
We’re excited to be a part of this year’s event with an online Partner Showcase. Visit our page and explore our favourite free resources
Surveil dashboard updates – April 2024
There have been several changes to the Surveil platform over the last three weeks that we are excited to share with you. These changes have been designed to improve your overall experience with the platform, as well as add improved...