Protect Map account by site URI checking.
Currently Azure Map account protected by the key, generated on Azure Portal. This is not enough for SPA JS sites. Let say you have a public server-less map App that allows to use anonymously. Map key could easily discovered and stolen. Hence your map account could be used by others for your expense.
Expected: add ability to specify one or more site URI where legal traffic could come from. Azure should check incoming requests against this list and reject unknown sites. This should support "localhost:port" for test purposes as well as real domain names for production.
Kevin Flood commented
This is a critical issue really. It allows anyone use (and bill) your account. e.g. the key listed in this simple map widget demo https://docs.microsoft.com/en-us/azure/azure-maps/map-create can also be used by anyone for free access to billable API calls on any Azure map service (geocode, etc.).
Brief overview of Google's approach: https://developers.google.com/maps/faq#using-google-maps-apis
so basically, their web-level APIs (e.g. embedded map widget) support whitelisting websites/ip addresses and their server-level APIs (e.g. geocoding, directions) support signing requests with a shared secret. This worked well for us,
James Rogers commented
Any update on this?
There must surely be a better way of using the JS API without exposing your API key. In the docs Microsoft tell us to secure our keys using KeyVault - why on Earth should I do that if I have to expose my key anyway?
Craig Neeson commented
Bumping this as our team would also benefit from the same security features. Hesitant to invest too much time with the Azure Maps JS components until they can actually be secured properly.
URI checking provides a false sense of security as it is fairly easy to spoof a URI. It only protects you from honest reverse engineers. That said, there are plans to provide increased security options in the near future.