Security Vulnerability: `cors-anywhere` Dependency Exposes API Keys in Web Builds

**Title:** Security Vulnerability: `cors-anywhere` Dependency Exposes API Keys in Web Builds

**Issue Type:** Bug

**Description:**

The `google_places_flutter` package uses `cors-anywhere` for web requests, exposing the Google Maps Places API key. This is a critical security vulnerability.

**Impact:**

* API Key Theft
* Quota Exhaustion
* Abuse

**Steps to Reproduce:**

1. Use the package in a Flutter web app.
2. Observe network requests in browser dev tools.

**Expected Behavior:**

API key should never be exposed in client-side web code.

**Actual Behavior:**

API key is exposed due to `cors-anywhere`.

**Proposed Solution:**

Implement a server-side proxy.

**Workaround for Web:**

Developers must implement their own server-side proxy.

**Additional Information:**

* Severity: High
* Platform: Web

**Call to Action:**

This issue needs to be addressed as a high priority. I am willing to contribute.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Vulnerability: `cors-anywhere` Dependency Exposes API Keys in Web Builds #69

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security Vulnerability: cors-anywhere Dependency Exposes API Keys in Web Builds #69

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

Security Vulnerability: `cors-anywhere` Dependency Exposes API Keys in Web Builds #69