URL Contains Sensitive Data - Google API Key
Description
Exposing sensitive data such as a Google API key directly in a RESTful API URL poses a security vulnerability. This practice can lead to unauthorized access to the API key, potentially enabling attackers to misuse the key for malicious purposes. To mitigate this vulnerability, it's essential to avoid embedding sensitive information in URLs and instead use secure methods such as headers or environment variables for transmitting and managing API keys.
Remediation
Do not include Google API keys (or any other sensitive credentials) in URL query parameters. Instead, store them securely and pass them via HTTP headers, request bodies, or environment variables. Ensure all communication is encrypted over HTTPS to protect keys in transit. Regularly rotate API keys and implement rate limits to minimize damage if a key is compromised. Use a Web Application Firewall (WAF) or intrusion detection system to monitor and block suspicious traffic attempting to exploit exposed keys. Conduct periodic audits of logs and code repositories to confirm that no credentials are inadvertently leaked through version control or logging systems.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://owasp.org/Top10/https://cloud.google.com/docs/authentication/api-keysSeverity
MEDIUMOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
5.4
5.4