How to protect and hide your Bing Maps key
Guides|by Clemens Schotte|6 April 2022
When using Bing Maps for Enterprise in your solution/application, you need a Basic Key (limited free trial) or an Enterprise key to use the services. For example, you would add a Bing Maps Key to the script URL loading the Bing Maps Web Control like this:
<script src="https://www.bing.com/api/maps/mapcontrol?callback=GetMap&key={your bing maps key}"></script>
Protecting
The Bing Maps key is mainly used to determine the usage and allow access to Bing Maps features. To protect your Bing Maps key, so it can't be misused on other websites, there is an option in the Bing Maps Dev Center to protect your key. This security option allows you to specify a list of referrers (website URLs) and IP numbers who can use your key. When at least one referrer rule is active, any requests that omit a referrer and any requests from non-approved referrers will be blocked, preventing others from using your key for requests. You can have up to 300 referrer and IP security rules per key.
Your key is now protected but is still visible in your website code and it is best practice is to never store any keys or certificates in source code. So how do you hide your Bing Maps key?
Hiding
To hide the Bing Maps key, you create a simple API endpoint that will only return the Bing Maps key if the request comes from a trusted referral URL. The Bing Maps Samples site is a good example that uses this approach.
In this example we are using an Azure Function written in C# that returns the Bing Maps key:
public static class GetBingMapsKey { private static readonly string[] allowd = { "https://samples.bingmapsportal.com/", "http://localhost"}; [FunctionName("GetBingMapsKey")] public static IActionResult Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req) { string referer = req.Headers["Referer"]; if (string.IsNullOrEmpty(referer)) return new UnauthorizedResult(); string result = Array.Find(allowd, site => referer.StartsWith(site, StringComparison.OrdinalIgnoreCase)); if (string.IsNullOrEmpty(result)) return new UnauthorizedResult(); // Get your Bing Maps key from https://www.bingmapsportal.com/ string key = Environment.GetEnvironmentVariable("BING_MAPS_SUBSCRIPTION_KEY"); return new OkObjectResult(key); } }
The Bing Maps key is stored server-side in this Azure Function Application settings field. We are using the GetEnvironmentVariable()
to get the key.
Next, we need to load the Bing Maps script and get the key from the API client-side. Finally, we use the following code snippet to load Bing Maps dynamically:
<script> // Dynamic load the Bing Maps Key and Script // Get your own Bing Maps key at https://www.microsoft.com/maps (async () => { let script = document.createElement("script"); let bingKey = await fetch("https://samples.azuremaps.com/api/GetBingMapsKey").then(r => r.text()).then(key => { return key }); script.setAttribute("src", `https://www.bing.com/api/maps/mapcontrol?callback=GetMap&key=${bingKey}`); document.body.appendChild(script); })(); </script>
The browser will run this code and create at runtime in the DOM the same line of script tag we have seen at the beginning of this blog post to load Bing Maps and the Key. An additional advantage is that the Bing Maps key is not stored in the source code anymore and that you can use IaC and build pipelines to deploy the solution.
Tip: Only hiding the Bing Maps key alone is not enough as a security measure. We recommend you still enable the security option in the Bing Maps Dev Center!
If you have any questions about this post or want to know how to get the most from Bing Maps, please contact our Mapping team.
Tel: +44 (0) 1364 654 100
Email: mapping@greymatter.com
Contact Grey Matter
If you have any questions or want some extra information, complete the form below and one of the team will be in touch ASAP. If you have a specific use case, please let us know and we'll help you find the right solution faster.
By submitting this form you are agreeing to our Privacy Policy and Website Terms of Use.
Clemens Schotte
I'm a Program Manager at Microsoft in the Maps & Geospatial Product Group, a dedicated and enthusiastic storyteller with a passion for technology and social interaction. I blog and talk about technology, gadgets, code, the web, space science and everything that interests me. I love to teach, motivate, and entertain people with technical details. I'm knowledgeable about Microsoft and Open-Source technology. I like to engage with people to exchange ideas and experiences. I'm spontaneous, flexible, and love the constant flow of innovation and new possibilities.
https://www.linkedin.com/in/cschotte/
Related News
[ON-DEMAND] The Future of Enterprise Mapping Solutions: Bing Maps Unification with Azure Maps
Learn all about the Bing Maps Unification with Azure Maps and the support available with our Grey Matter and Microsoft experts.
Meet the Mapping Team | Part 3
When it comes to all things Geospatial, no one knows mapping like we do. Meet the people behind our Grey Matter Mapping team and learn about their diverse industry experiences in the Geospatial industry.
Understanding DMARC: A Guide for Organisations
In today’s digital age, email remains a critical communication tool for businesses. However, it is also a prime target for cyberattacks such as phishing and email spoofing. To combat these threats, organisations can implement DMARC (Domain-based Message Authentication, Reporting, and...
Acronis Offers Native Support for Amazon S3 and Wasabi
Acronis can now offer direct support for Amazon S3 and Wasabi cloud storage. This update elevates the data protection capabilities, ensuring you can rely on the most reliable and efficient backup solutions. This is great news if you are looking...