How can we improve Azure Maps?

Protect Map account by site URI checking.

Currently Azure Map account protected by the key, generated on Azure Portal. This is not enough for SPA JS sites. Let say you have a public server-less map App that allows to use anonymously. Map key could easily discovered and stolen. Hence your map account could be used by others for your expense.
Expected: add ability to specify one or more site URI where legal traffic could come from. Azure should check incoming requests against this list and reject unknown sites. This should support "localhost:port" for test purposes as well as real domain names for production.

12 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Vitaly Zayko shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    5 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Kevin Flood commented  ·   ·  Flag as inappropriate

        This is a critical issue really. It allows anyone use (and bill) your account. e.g. the key listed in this simple map widget demo https://docs.microsoft.com/en-us/azure/azure-maps/map-create can also be used by anyone for free access to billable API calls on any Azure map service (geocode, etc.).

        Brief overview of Google's approach: https://developers.google.com/maps/faq#using-google-maps-apis
        so basically, their web-level APIs (e.g. embedded map widget) support whitelisting websites/ip addresses and their server-level APIs (e.g. geocoding, directions) support signing requests with a shared secret. This worked well for us,

      • Anonymous commented  ·   ·  Flag as inappropriate

        There must surely be a better way of using the JS API without exposing your API key. In the docs Microsoft tell us to secure our keys using KeyVault - why on Earth should I do that if I have to expose my key anyway?

      • Craig Neeson commented  ·   ·  Flag as inappropriate

        Bumping this as our team would also benefit from the same security features. Hesitant to invest too much time with the Azure Maps JS components until they can actually be secured properly.

      • rbrundritt commented  ·   ·  Flag as inappropriate

        URI checking provides a false sense of security as it is fairly easy to spoof a URI. It only protects you from honest reverse engineers. That said, there are plans to provide increased security options in the near future.

      Feedback and Knowledge Base