Quiz Entry - updated: 2026.07.14
Why is it dangerous to expose API keys in client-side JavaScript?
Client-side code is fully visible to anyone, so an exposed key can be copied and abused, running up charges or hitting quotas on your account.
The problem:
<!-- Anyone can see this in the browser! -->
<img src="https://maps.api.com?key=abc123secret">
Mitigation strategies:
| Strategy | Security Level |
|---|---|
| Restrict key to specific domains | Medium (can be spoofed) |
| Restrict key to specific IPs | Medium |
| Use key only server-side | High |
| Set usage quotas/alerts | Damage control |
Best practice:
- Never commit API keys to version control
- Use environment variables
- Make API calls from your backend, not frontend
- Set up billing alerts