I received the following warning from Google, and wonder if it is right that Toolset show the Google API Key publicly?:
~~~
We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project:
Project Amii Expert Listing (id: amii-expert-listing) with API key AIzaSyCs03jjjsH2TxvU5uqwakmYP13Aoui4D2Y
The key was found at the following URL: hidden link
We believe that you or your organization may have inadvertently published the affected API key in public sources or on public websites (for example, credentials mistakenly uploaded to a service such as GitHub.)
Please note that as the project/account owner, you are responsible for securing your keys.
~~~
That page does indeed show the Google API Key in the code. Is that correct. Should Toolset be showing that publicly?
That's perhaps a slightly confusing message from Google, inasmuch as the requests to its API from browsers *must* include the API key, and that key is visible to anyone that knows where to look for it.
You can secure such public keys within the Google API settings by adding a domain restriction, so that the API key only "works" when the request comes from amii.org.uk, making it useless to anyone else. That has always been best practice, but it seems like Google are sending warnings about this now.