You are able to achieve by using [HMAC Authentication][1]. Basically, there might be a database table called **ApiKey (apiKey, secretKey)**. Each client has each Apikey and secret Key:

1. ApiKey is like a public key and will be sent over HTTP (similar with username).

2. Secret Key is not sent over HTTP, use this secret key to do hmac some information and send hashed output to the server. From server side, based on the public key, you can get the relevent secret key and hash information to compare with hash output.

I have posted the detailed answer at: https://stackoverflow.com/questions/11775594/how-to-secure-an-aspnet-mvc-web-api/11782361#11782361

You can change Username by ApiKey and Hashed Password by secret key on my answer to map with your idea.

  [1]: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code

I have an problem increasing memory limit for PHP as Apache module.

If I put following directive in Apache configuration, that work OK:

    php_value memory_limit 1.99G

But over 2GB do not work, it&#39;s restore this value back to 128MB.

What is the problem here? I need more memory for some PDF related tasks.

Server is Debian 2.6.32-5-amd64 #1 SMP, PHP 5.3.3-7+squeeze13 with 12GB physical RAM.

How to increase memory limit for PHP over 2GB?

I have a function, which generates and returns a MemoryStream. After generation the size of the MemoryStream is fixed, I dont need to write to it anymore only output is required. Write to MailAttachment or write to database for example. 

What is the best way to hand the object around? MemoryStream or Byte Array? If I use MemoryStream I have to reset the position after read.



  

c# MemoryStream vs Byte Array

I&#39;m interested in creating API keys for web.api and allowing clients to communicate with API using the API keys rather than authorization web.api provides. 

I want multiple clients to be able to communicate with the web.api. instead of creating username and password, can I use an api key, and allow clients to communicate with client.

Is there such built-in functionality?

if one wants to implement it, how would you go around it? 

Web API creating API keys

I'm interested in creating API keys for web.api and allowing clients to communicate with API using the API keys rather than authorization web.api provides.
I want multiple clients to be able to communicate with the web.api. instead of creating username and password, can I use an api key, and allow clients to communicate with client.
Is there such built-in functionality?
if one wants to implement it, how would you go around it?

I&#39;m trying to make a simple program to test the new .NET async functionality within Visual Studio 2012. I generally use BackgroundWorkers to run time-consuming code asynchronously, but sometimes it seems like a hassle for a relatively simple (but expensive) operation. The new async modifier looks like it would be great to use, but unfortunately I just can&#39;t seem to get a simple test going.

Here&#39;s my code, in a C# console application:

&lt;!-- language: c# --&gt;

    static void Main(string[] args)
    {
        string MarsResponse = await QueryRover();
        Console.WriteLine(&quot;Waiting for response from Mars...&quot;);
        Console.WriteLine(MarsResponse);
        Console.Read();
    }
    
    public static async Task&lt;string&gt; QueryRover()
    {
        await Task.Delay(5000);
        return &quot;Doin&#39; good!&quot;;
    }

I checked out some examples on MSDN and it looks to me like this code should be working, but instead I&#39;m getting a build error on the line containing &quot;await QueryRover();&quot; Am I going crazy or is something fishy happening?

Await operator can only be used within an Async method

What is the proper way of setting the User-Agent header for a WebClient request for Windows Phone 7?
I found 2 options, but not sure which one is the correct one. Considering a WebClient object:

    WebClient client = new WebClient();

I saw 2 options:

1. set the User-Agent using: 

        client.Headers[&quot;User-Agent&quot;] = &quot;myUserAgentString&quot;;

2. set the User-Agent using the WebHeaderCollection:

        WebHeaderCollection headers = new WebHeaderCollection();
        headers[HttpRequestHeader.UserAgent] = &quot;userAgentString&quot;;
        client.Headers = headers;

Can you please advise which of the 2 methods above is the proper one?

Setting the User-Agent header for a WebClient request

I have a winforms app and want to trigger some code when a checkbox embedded in a `DataGridView` control is checked / unchecked. Every event I have tried either

1. Triggers as soon as the `CheckBox` is clicked but before its checked state changes, or
2. Triggers only once the `CheckBox` looses its focus

I can&#39;t seem to find event that triggers immediately after the checked state changes.

---

**Edit:**

What I am trying to achieve is that when the checked state of a `CheckBox` in one `DataGridView` changes, the data in two other `DataGridView`s changes. Yet all the events I have used, the data in the other grids only changes after the `CheckBox` in the first `DataGridView` looses focus.  

How to detect DataGridView CheckBox event change?

I&#39;m using an MVC 4 web API and asp.net web forms 4.0 to build a rest API. It&#39;s working great:

    [HttpGet]
    public HttpResponseMessage Me(string hash)
    {
        HttpResponseMessage httpResponseMessage;
        List&lt;Something&gt; somethings = ...

        httpResponseMessage = Request.CreateResponse(HttpStatusCode.OK, 
                                     new { result = true, somethings = somethings });

        return httpResponseMessage;
    }

Now I need to prevent some properties to be serialized. I know I can use some LINQ over the list and get only the properties I need, and generally it&#39;s a good approach, but in the present scenario the `something` object is too complex, and I need a different set of properties in different methods, so it&#39;s easier to mark, at runtime, each property to be ignored.

Is there a way to do that?


prevent property from being serialized in web API

Client

    iGame Channel = new ChannelFactory&lt;iGame&gt; ( new BasicHttpBinding ( BasicHttpSecurityMode . None ) , new EndpointAddress ( new Uri ( &quot;http://localhost:58597/Game.svc&quot; ) ) ) . CreateChannel ( );

    public Task&lt;SerializableDynamicObject&gt; Client ( SerializableDynamicObject Packet )
    {
        return Task&lt;SerializableDynamicObject&gt; . Factory . FromAsync ( Channel . BeginConnection , Channel . EndConnection , Packet , null );
    }

Contract

        [OperationContract ( AsyncPattern = true )]
        IAsyncResult BeginConnection ( SerializableDynamicObject Message , AsyncCallback Callback , object State );

        SerializableDynamicObject EndConnection ( IAsyncResult Result );

Service

    public IAsyncResult BeginConnection ( SerializableDynamicObject Message , AsyncCallback Callback , object State )
    {
        dynamic Request = Message;
        dynamic Response = new SerializableDynamicObject ( );
        if ( Request . Operation = &quot;test&quot; )
        {
            Response . Status = true;
        }
        Response . Status = false;

        return new CompletedAsyncResult&lt;SerializableDynamicObject&gt; ( Response );
    }

    public SerializableDynamicObject EndConnection ( IAsyncResult Result )
    {
        return ( Result as CompletedAsyncResult&lt;SerializableDynamicObject&gt; ) . Data;
    }

Exposing Service from Silverlight Client

    private async void myButton ( object sender , RoutedEventArgs e )
    {
        dynamic Request = new SerializableDynamicObject ( );
        Request . Operation = &quot;test&quot;;

        var task = Client ( Request );
        var result = await task;  // &lt;------------------------------ Exception
    }

Exception

    Task&lt;SerializableDynamicObject &gt; does not contain a definition for &#39;GetAwaiter&#39;

**What**&#39;s wrong ?


----------

**Edit 1 :**

Briefly,  

Visual studio 2012 RC **Silverlight 5 Application** consumes *Game* **WCF 4 Service** hosted in **ASP.net 4 Application** with ChannelFactory technique via Shared **Portable Library .NET4/SL5** contains the *iGame* interface with **Async CTP**

**Graph :**   
ASP.NET **&lt;=** Class Library ( Game ) **&lt;=** Portable Library ( iGame ) **=&gt;** Silverlight 


----------

**Edit 2 :**

* Microsoft.CompilerServices.AsyncTargetingPack.Silverlight5.dll is added in my SL5 Client
* using System . Threading . Tasks;
 



Task&lt;&gt; does not contain a definition for &#39;GetAwaiter&#39;

I was looking to add an Action Filter to my service to handle adding link data to the response message.  I have found that I need to mock HttpActionExecutedContext but it&#39;s a difficult class to mock, how are you dealing with Action Filter testing?

How can you unit test an Action Filter in ASP.NET Web Api?

I need to implement the following WebAPI method:

    /api/books?author=XXX&amp;title=XXX&amp;isbn=XXX&amp;somethingelse=XXX&amp;date=XXX

All of the query string parameters can be null. That is, the caller can specify from 0 to all of the 5 parameters.

In **MVC4 beta** I used to do the following:

    public class BooksController : ApiController
    {
        // GET /api/books?author=tolk&amp;title=lord&amp;isbn=91&amp;somethingelse=ABC&amp;date=1970-01-01
        public string GetFindBooks(string author, string title, string isbn, string somethingelse, DateTime? date) 
        {
            // ...
        }
    }

MVC4 RC doesn&#39;t behave like this anymore. If I specify fewer than 5 parameters, it replies with a `404` saying:

&gt;No action was found on the controller &#39;Books&#39; that matches the request.

What is the correct method signature to make it behave like it used to, without having to specify the optional parameter in the URL routing?

Optional query string parameters in ASP.NET Web API

I&#39;m designing a web site that will have a mobile companion (initally iPhone only). The web site will be an ASP.Net MVC 3 application. I&#39;ll also have an ASP.Net Web API site (MVC 4) to expose services to the iPhone application. The iPhone app will have its own form to capture username and password from the user and send that to the web API in JSON headers.

I want to consider security from the start rather than an after thought. *I&#39;m not a security expert by any means.* I&#39;ve done a good deal of research to see how other&#39;s are handling authentication of a mobile application client from a web service. I think I&#39;ve come up with a decent solution that doesn&#39;t involve hooking into to third party oAuths.

I would greatly appreciate any and all opinions, advice, criticism and general WTFs that any of you can offer. :)

My biggest concerns are:
&lt;ol&gt;
&lt;li&gt;Ensuring that calls made to the web API are authorized&lt;/li&gt;
&lt;li&gt;Minimizing the risk of replay attacks (hence timestamps in the calls below)&lt;/li&gt;
&lt;/ol&gt;

The iPhone app will be developed as such:&lt;br&gt;
*Two strings are hard-coded into the iPhone app (same values for every user):*
&lt;ol&gt;
&lt;li&gt;&lt;b&gt;Application ID&lt;/b&gt;&lt;br&gt;This is a string that is used to identify the type of client that is accessing the web API (iPhone, Android, Windows phone, etc).&lt;/li&gt;&lt;br&gt;
&lt;li&gt;&lt;b&gt;Application&#39;s Hashing Salt&lt;/b&gt;&lt;br&gt;This is a string that is used to salt hashes for user-agnostic requests.&lt;/li&gt;
&lt;/ol&gt;
*Two strings are stored in the iPhone app&#39;s local database (values unique to each user):*
&lt;ol&gt;
&lt;li&gt;&lt;b&gt;API User Access Token&lt;/b&gt;&lt;br&gt;This is a string (token) provided to the client by the web API upon successful authentication and allows the client to access the web API without sending the username and password in each request.&lt;br&gt;&lt;/li&gt;

&lt;li&gt;&lt;b&gt;User&#39;s Hashing Salt&lt;/b&gt;&lt;br&gt;This is a string that is used to salt hashes for requests made against established user accounts.&lt;/li&gt;
&lt;/ol&gt;
&lt;br&gt;
&lt;br&gt;
The iPhone will make calls to the web API in the following manner:&lt;br&gt;&lt;br&gt;
&lt;b&gt;API Method: Create Account&lt;/b&gt;&lt;br&gt;
Client Sends:
&lt;ul&gt;
&lt;li&gt;New Account Data (Username, Password, First Name, Last Name, etc..)&lt;/li&gt;
&lt;li&gt;Application ID&lt;/li&gt;
&lt;li&gt;UTC Timestamp&lt;/li&gt;
&lt;li&gt;Hash of UTC Timestamp + Application ID salted with Application&#39;s Hashing Salt&lt;/li&gt;
&lt;/ul&gt;
API Returns:
&lt;ul&gt;
&lt;li&gt;New User&#39;s Hashing Salt&lt;br&gt;&lt;br&gt;The idea here is that, when creating an account, I can use the application&#39;s hardcoded salt since it&#39;s not a huge security risk if that salt ever got out (through decompilation or some other means).&lt;br&gt;&lt;br&gt;
But for methods that access and modify the user&#39;s data I&#39;ll use a salt that is owned only by that user so it can&#39;t be used by an attacker to impersonate others.&lt;/li&gt;
&lt;/ul&gt;
&lt;br&gt;
&lt;b&gt;API Method: Get Account&lt;/b&gt;&lt;br&gt;(Used for getting user&#39;s hashing salt for accounts that were created on the web site but haven&#39;t yet been synced on the iPhone. This happens when a user tries to log in on the iPhone and iPhone detects that it has no record for that username.)&lt;br&gt;
&lt;br&gt;
Client Sends:
&lt;ul&gt;
&lt;li&gt;Username&lt;/li&gt;
&lt;li&gt;Password (hashed with Application&#39;s Hashing Salt)&lt;/li&gt;
&lt;li&gt;Application ID&lt;/li&gt;
&lt;li&gt;UTC Timestamp&lt;/li&gt;
&lt;li&gt;Hash of UTC Timestamp + Application ID salted with Application&#39;s Hashing Salt&lt;/li&gt;
&lt;/ul&gt;
API Returns:
&lt;ul&gt;
&lt;li&gt;Existing User&#39;s Hashing Salt&lt;/li&gt;
&lt;/ul&gt;
&lt;br&gt;
&lt;b&gt;API Method: Log In (Authenticate)&lt;/b&gt;&lt;br&gt;
Client Sends:
&lt;ul&gt;
&lt;li&gt;Username&lt;/li&gt;
&lt;li&gt;Password (hashed with User&#39;s Hashing Salt)&lt;/li&gt;
&lt;li&gt;Application ID&lt;/li&gt;
&lt;li&gt;UTC Timestamp&lt;/li&gt;
&lt;li&gt;Hash of UTC Timestamp + Application ID salted with User&#39;s Hashing Salt&lt;/li&gt;
&lt;/ul&gt;
API Returns:
&lt;ul&gt;
&lt;li&gt;API User Access Token&lt;/li&gt;
&lt;/ul&gt;
&lt;br&gt;
&lt;b&gt;API Method: Any Command (i.e. Create Post, Update Profile, Get Messages, etc...)&lt;/b&gt;&lt;br&gt;
Client Sends:
&lt;ul&gt;
&lt;li&gt;Command Data&lt;/li&gt;
&lt;li&gt;API User Access Token&lt;/li&gt;
&lt;li&gt;Application ID&lt;/li&gt;
&lt;li&gt;UTC Timestamp&lt;/li&gt;
&lt;li&gt;Hash of UTC Timestamp + Application ID + API User Access Token salted with User&#39;s Hashing Salt&lt;/li&gt;
&lt;/ul&gt;

Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)

I wish to add an [ASP.NET Web API](http://www.asp.net/web-api) to an ASP.NET MVC 4 Web Application project, developed in Visual Studio 2012. Which steps must I perform to add a functioning Web API to the project? I&#39;m aware that I need a controller deriving from ApiController, but that&#39;s about all I know.

Let me know if I need to provide more details.

How to add Web API to an existing ASP.NET MVC 4 Web Application project?

So with lots of different services around now, Google APIs, Twitter API, Facebook API, etc etc.

Each service has an API key, like:

`AIzaSyClzfrOzB818x55FASHvX4JuGQciR9lv7q`

All the keys vary in length and the characters they contain, I&#39;m wondering what the best approach is for generating an API key?

I&#39;m not asking for a specific language, just the general approach to creating keys, should they be an encryption of details of the users app, or a hash, or a hash of a random string, etc. Should we worry about hash algorithm (MSD, SHA1, bcrypt) etc?

**Edit:**
I&#39;ve spoke to a few friends (email/twitter) and they recommended just using a GUID with the dashes stripped. 

This seems a little hacky to me though, hoping to get some more ideas.

What&#39;s the best approach for generating a new API key?

Most app developers will integrate some third party libraries into their apps. If it&#39;s to access a service, such as Dropbox or YouTube, or for logging crashes. The number of third party libraries and services is staggering. Most of those libraries and services are integrated by somehow authenticating with the service, most of the time, this happens through an API key. For security purposes, services usually generate a public and private, often also referred to as secret, key. Unfortunately, in order to connect to the services, this private key must be used to authenticate and hence, probably be part of the application. 
Needless to say, that this faces in immense security problem. Public and private API keys can be extracted from APKs in a matter of minutes and can easily be automated. 

Assuming I have something similar to this, how can I protect the secret key:


    public class DropboxService  {
    
    	private final static String APP_KEY = &quot;jk433g34hg3&quot;;
    	private final static String APP_SECRET = &quot;987dwdqwdqw90&quot;;
    	private final static AccessType ACCESS_TYPE = AccessType.DROPBOX;
    
    	// SOME MORE CODE HERE
    	
    }

What is in your opinion the best and most secure way to store the private key? Obfuscation, encryption, what do you think?

Best practice for storing and protecting private API keys in applications

How do I get Google Maps API key to work on localhost?

I&#39;ve created an API key and under referrers I add the following:

    Accept requests from these HTTP referrers (websites) (Optional)

    Use asterisks for wildcards. If you leave this blank, requests will be 
    accepted from any referrer. Be sure to add referrers before using this key 
    in production. 

    localhost

This doesn&#39;t work and if I exclude the API key it doesn&#39;t work, either.

Googlemaps API Key for Localhost

So I am using the Google Maps API on my first project that I am doing... So yes I am new and I am sorry if this is basic or obvious but I haven&#39;t been able to find a clear answer or direction. Below is the documentation I found from Google about securely using the API Key.

--------------------------------------------------

Best practices for securely using API keys

When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:

Do not embed API keys directly in code: API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application&#39;s source tree.
Do not store API keys in files inside your application&#39;s source tree: If you store API keys in files, keep the files outside your application&#39;s source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub.
Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them: By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.
Delete unneeded API keys: To minimize your exposure to attack, delete any API keys that you no longer need.
Regenerate your API keys periodically: You can regenerate API keys from the Cloud Platform Console Credentials page by clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys.
Review your code before publicly releasing it: Ensure that your code does not contain API keys or any other private information before you make your code publicly available.

-------------------------------------------------

Now my problem is I can&#39;t figure out how to incorporate the Google Map on my website without directly putting it in the code. Right now my API is in my index.html like this:

    &lt;script async defer
        src=&quot;https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&amp;callback=initMap&quot;&gt;
    &lt;/script&gt;

But again this is directly in my code for the world to see which I believe is the wrong way.

How do I securely use Google API Keys

I have a React app that uses two third-party services. The app was started using `react-create-app`.

Both of these services require a API key.

One key is supplied via a script tag, like this:

    &lt;script type=&quot;text/javascript&quot; src=&quot;https://myapi?key=MY_KEY&quot;&gt;
    &lt;/script&gt;

The other API key is used in a request. I store the actual key in a constant and use it to form the request. Like this:

    const MY_OTHER_KEY = &#39;MY_OTHER_KEY&#39;
    let url = `http://myotherapi?key=${MY_OTHER_KEY}&amp;q=${query}`

Google&#39;s [best practice tips][1] on handling API keys says:

&gt; Do not embed API keys directly in code

This brings me to my first question:

**1. How to use variables in `index.html`?**

In my `index.html` file, I have two tags that look like this:

    &lt;link rel=&quot;manifest&quot; href=&quot;%PUBLIC_URL%/manifest.json&quot;&gt;
    &lt;link rel=&quot;shortcut icon&quot; href=&quot;%PUBLIC_URL%/favicon.ico&quot;&gt;

Obviously, `%PUBLIC_URL%`is a variable. How can I add a variable `%MY_KEY%` as to avoid embedding the API key directly in my code?

To get something like this:

    &lt;script type=&quot;text/javascript&quot; src=&quot;https://myapi?key=%MY_KEY%&quot;&gt;
    &lt;/script&gt;

Related to this question, is it safe to have the API key stored in a constant, like I do for `MY_OTHER_KEY`?

Google also says:

&gt; Do not store API keys in files inside your application&#39;s source tree

This brings me to my second question: 

**2. Doesn&#39;t the API key still end up in the bundle?**

Say I do what Google says and I

&gt; ... store them in environment variables or in files outside of your
&gt; application&#39;s source tree

Say I store a key in a outside file. That file will, I assume, be read at some point and it&#39;s contents either copied in the bundle or referenced in some other way. In the end, won&#39;t the key still be visible in the bundle, except maybe harder to find? How does this help exactly?

**3. Is there a canonic way of using API keys in a react app? Or is it up to the individual developer?**

Self explanatory, I&#39;m looking for the react way of solving this issue, if there is one.

Thank you for your help!

  [1]: https://support.google.com/googleapi/answer/6310037

Content Type	Original Author	Original Content on Stackoverflow
Question	DarthVader	View Question on Stackoverflow
Solution 1 - C#	cuongle	View Answer on Stackoverflow

Web API creating API keys

C# Problem Overview

C# Solutions

Solution 1 - C#

c# MemoryStream vs Byte Array

How to increase memory limit for PHP over 2GB?

Attributions