Say I’ve restricted my Google Maps API key to the website abc.com/*. This would mean that no other website domains could use my API key to make requests to maps.googleapis.com.
However, using the API key through the browser url bar to make requests to maps.googleapis.com still works fine. Calls made through Postman also work.
What’s the explanation for this and is there an elegant way to prevent this?