An unrestricted map API key — one with no HTTP referrer restrictions in the provider console — is a valid, usable credential that any third party can call from any domain. CWE-732 (Incorrect Permission Assignment for Critical Resource) applies because the key grants API access without the permission boundary it should have. OWASP A05:2021 (Security Misconfiguration) covers this directly. The practical consequence is quota theft: another site embeds your Mapbox token, your tile requests and geocoding quota are consumed, and you receive the billing overage. Referrer restrictions add a cheap, server-enforced permission boundary that the provider enforces — your code cannot compensate for a missing restriction.
Low because referrer restriction is defense-in-depth — key theft requires an attacker who already has the key — but the consequence of unrestricted keys is measurable quota and billing exposure.
Restrict each map API key in the provider console to your production domain. Document this in .env.example so future developers know the restriction expectation.
# .env.example
GOOGLE_MAPS_KEY=your-key-here # Restrict to yourdomain.com in Google Cloud Console > APIs & Services > Credentials
MAPBOX_TOKEN=your-token-here # Restrict to yourdomain.com in Mapbox Account > Tokens > URL restrictions
Google Cloud: APIs & Services > Credentials > click the key > Application restrictions > HTTP referrers > add https://yourdomain.com/*.
Mapbox: Account > Tokens > edit token > enable URL restrictions > add your domain.
Create separate keys for development and production; restrict each independently so a compromised dev key has limited blast radius.
ID: directory-map-location.geocoding.api-keys-restricted
Severity: low
What to look for: Log into the map provider's console (Google Cloud, Mapbox, etc.) and check the API key settings. Verify that HTTP referrer restrictions are configured (e.g., allowed domains list) to prevent unauthorized use on other domains.
Pass criteria: Map API keys have HTTP referrer restrictions configured in the provider console. Count all API keys used for map services and confirm each has at least 1 restriction configured. The allowed domain list includes only your production domain(s). Quote the actual restriction type from the provider console or environment config.
Fail criteria: API keys have no referrer restrictions (unrestricted key). Any domain can use the key, creating a vulnerability to quota theft. An API key with IP restriction but no HTTP referrer restriction on a web app does not count as pass.
Skip (N/A) when: No external map API is used, or all geocoding is proxied through the backend with no client-exposed keys.
Detail on fail: "Google Maps API key has no HTTP referrer restrictions; key is unrestricted and vulnerable to quota theft" or "Mapbox token has no domain restrictions configured"
Remediation: In your map provider's console (Google Cloud Console, Mapbox Dashboard, etc.), restrict each API key:
Configure restrictions in your provider console or document in .env.example:
# .env.example — document which keys need referrer restrictions
GOOGLE_MAPS_KEY=your-key-here # Restrict to yourdomain.com in Google Cloud Console
MAPBOX_TOKEN=your-token-here # Restrict to yourdomain.com in Mapbox Dashboard
Google Cloud: Navigate to APIs & Services > Credentials, click the key, under "Application restrictions" select "HTTP referrers", add https://yourdomain.com/*.
Mapbox: Go to Account > Tokens, edit the token, enable "URL restrictions" and add your domain.