Staging branch deploys to staging.customdomain.com (automatically configured via branch deploys)
My site uses Netlify Functions in the following scenario:
Google Maps Geocoding API
When a user enters in an address on a form, the address is passed to a Netlify Function which calls the Google Maps Geocoding API and returns a { lat, long } object.
The problem:
Per Google Maps, the only restrictions I can place on “web service” APIs, including the Geocoding API, are IP address based.
When I ping my customdomain.com, it appears to return a relatively static IP address, however, is this susceptible to change? How frequently? And how can I effectively restrict my API key in this scenario?
When I ping my staging.customdomain.com, it often returns a dynamic address after completing a new deploy. How can I restrict the API key in this scenario?
Hey @Scott, thanks for following up. I feared as much.
Would an appropriate solution be to:
Remove restrictions on the Google API key
Restrict access to the lambda function using the http-referer header?
Understanding that if someone were to get access to the key itself, they would still be able to hit the API unrestricted. The idea is, at least they wouldn’t be able to hit my site to use the API.
I understand that static IP address restrictions are not “in the spirit of” serverless functions, but given the restrictions placed upon us by API providers, I’m trying to understand what the best practice is for handling this situation.
I’d like to keep everything on the Netlify platform as opposed to some of the other solutions such as spinning up a VPS.