How to protect and hide your Bing Maps key
Guides|by Clemens Schotte|6 April 2022
When using Bing Maps for Enterprise in your solution/application, you need a Basic Key (limited free trial) or an Enterprise key to use the services. For example, you would add a Bing Maps Key to the script URL loading the Bing Maps Web Control like this:
<script src="https://www.bing.com/api/maps/mapcontrol?callback=GetMap&key={your bing maps key}"></script>
Protecting
The Bing Maps key is mainly used to determine the usage and allow access to Bing Maps features. To protect your Bing Maps key, so it can't be misused on other websites, there is an option in the Bing Maps Dev Center to protect your key. This security option allows you to specify a list of referrers (website URLs) and IP numbers who can use your key. When at least one referrer rule is active, any requests that omit a referrer and any requests from non-approved referrers will be blocked, preventing others from using your key for requests. You can have up to 300 referrer and IP security rules per key.
Your key is now protected but is still visible in your website code and it is best practice is to never store any keys or certificates in source code. So how do you hide your Bing Maps key?
Hiding
To hide the Bing Maps key, you create a simple API endpoint that will only return the Bing Maps key if the request comes from a trusted referral URL. The Bing Maps Samples site is a good example that uses this approach.
In this example we are using an Azure Function written in C# that returns the Bing Maps key:
public static class GetBingMapsKey { private static readonly string[] allowd = { "https://samples.bingmapsportal.com/", "http://localhost"}; [FunctionName("GetBingMapsKey")] public static IActionResult Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req) { string referer = req.Headers["Referer"]; if (string.IsNullOrEmpty(referer)) return new UnauthorizedResult(); string result = Array.Find(allowd, site => referer.StartsWith(site, StringComparison.OrdinalIgnoreCase)); if (string.IsNullOrEmpty(result)) return new UnauthorizedResult(); // Get your Bing Maps key from https://www.bingmapsportal.com/ string key = Environment.GetEnvironmentVariable("BING_MAPS_SUBSCRIPTION_KEY"); return new OkObjectResult(key); } }
The Bing Maps key is stored server-side in this Azure Function Application settings field. We are using the GetEnvironmentVariable()
to get the key.
Next, we need to load the Bing Maps script and get the key from the API client-side. Finally, we use the following code snippet to load Bing Maps dynamically:
<script> // Dynamic load the Bing Maps Key and Script // Get your own Bing Maps key at https://www.microsoft.com/maps (async () => { let script = document.createElement("script"); let bingKey = await fetch("https://samples.azuremaps.com/api/GetBingMapsKey").then(r => r.text()).then(key => { return key }); script.setAttribute("src", `https://www.bing.com/api/maps/mapcontrol?callback=GetMap&key=${bingKey}`); document.body.appendChild(script); })(); </script>
The browser will run this code and create at runtime in the DOM the same line of script tag we have seen at the beginning of this blog post to load Bing Maps and the Key. An additional advantage is that the Bing Maps key is not stored in the source code anymore and that you can use IaC and build pipelines to deploy the solution.
Tip: Only hiding the Bing Maps key alone is not enough as a security measure. We recommend you still enable the security option in the Bing Maps Dev Center!
If you have any questions about this post or want to know how to get the most from Bing Maps, please contact our Mapping team.
Tel: +44 (0) 1364 654 100
Email: mapping@greymatter.com
Contact Grey Matter
If you have any questions or want some extra information, complete the form below and one of the team will be in touch ASAP. If you have a specific use case, please let us know and we'll help you find the right solution faster.
By submitting this form you are agreeing to our Privacy Policy and Website Terms of Use.
Clemens Schotte
I'm a Program Manager at Microsoft in the Maps & Geospatial Product Group, a dedicated and enthusiastic storyteller with a passion for technology and social interaction. I blog and talk about technology, gadgets, code, the web, space science and everything that interests me. I love to teach, motivate, and entertain people with technical details. I'm knowledgeable about Microsoft and Open-Source technology. I like to engage with people to exchange ideas and experiences. I'm spontaneous, flexible, and love the constant flow of innovation and new possibilities.
https://www.linkedin.com/in/cschotte/
Related News
Grey Matter Achieves Cyber Essentials and ISO 9001 Certifications
We are pleased to announce that we have achieved our Cyber Essentials and ISO 9001 certifications for another year. We want to do our due diligence as much as possible. And we can’t sell and promote the importance of cyber...
ACCU Conference 2025
1 - 4 April 2025 9:00 am - 4:00 pm GMT
We’re delighted to be a Gold Sponsor of the ACCU Conference 2025 in Bristol. It’s an event in the Southwest, so a little bit closer to home than usual for us. What is ACCU? The ACCU Conference, originally focused on...
Veeam Kasten v7.5: Revolutionising Kubernetes Backup and Recovery
Veeam has announced the release of Kasten v7.5, the latest version of its industry-leading Kubernetes backup and recovery solution. This new release brings significant advancements in scale, performance, security, and ecosystem coverage, empowering your organisation with brilliant resilience for your...
From Resolutions to Reality – Achieve your Creative Goals with Adobe
New year, new skills. Here's your list of Creative Resolutions to make 2025 your most creative year yet with Adobe Creative Cloud.