LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

Why is it dangerous to expose API keys in client-side JavaScript?

Client-side code is fully visible to anyone, so an exposed key can be copied and abused, running up charges or hitting quotas on your account.

The problem:

<!-- Anyone can see this in the browser! -->
<img src="https://maps.api.com?key=abc123secret">

Mitigation strategies:

Strategy Security Level
Restrict key to specific domains Medium (can be spoofed)
Restrict key to specific IPs Medium
Use key only server-side High
Set usage quotas/alerts Damage control

Best practice:

  1. Never commit API keys to version control
  2. Use environment variables
  3. Make API calls from your backend, not frontend
  4. Set up billing alerts

From Quiz: WEBT / Geolocation API and Responsive Layouts | Updated: Jul 14, 2026