Search the Community

not sure if this is a Synology only Problem: but the Standard User should't able to login from extern without a password

A fundamental question about security, especially because of the current problems caused by the so-called Emotet Trojan: I use the emby server under Windows10 on the same PC where my Kodi Client is installed. The data is stored on a Synology NAS. Under Windows direct, I did not set up network drives directly on this PC, but use the UNC paths for the libraries, e.g. \\IP\Share\folder\... Since emby does not allow you to specify credentials, the logged in Windows user must have access to this shares on the NAS. In case of a Trojan infestation of the PC, especially Emotet should have no problems with encrypting the complete data on the NAS with these read/write rights, even if the network drives have not been assigned directly under Windows. It would be much safer if the access is not done with the logged in Windows user, but with another user whose credentials have to be transferred in emby. According to my understanding, a Trojan infestation of the PC should then no longer be able to access the data directly from the operating system and possibly compromise them. So is it possible to transfer access data to network drives as well? Thanks a lot.

Click "SIGN IN" on https://emby.media , take me to http://app.emby.media/#!/startup/welcome.html This should be https as a basic requirement for all the modern apps/websites.

So I found a pretty big issue today while signing into Emby. I changed my Emby password yesterday, but when I went to sign on today I accidentally used my old password and my old password STILL WORKED! I am able to sign in with both my old AND new password. I feel like this is a pretty big security flaw. While writing this, I'm starting to question whether or not this is a bug. My old Emby user password was the same as my connect password, so are you able to sign into your Emby user account on the web dashboard (this one, specifically: https://memester.cf/u/rrqj90.png) usingyour connect password?

A bit like this topic https://emby.media/community/index.php?/topic/73224-emby-shows-unknown-users/ and this topic https://emby.media/community/index.php?/topic/71982-server-security-compromised/ I have also found my emby setup to have been compromised. In my case like some of these users I found a user called "computerguyiptv" on my system (showing as a cloud user). Having just spent the better part of a couple of hours digging in to this I am pretty happy to say that while you guys are clearly working on the security, it sounds like long standing defaults are making a right mess of this. In my case I did not have an admin password set and remote access was turned on. As far as I can tell those two were both defaults when I installed Emby as a package on my Synology NAS a couple of years ago. I actually wasn't aware Emby was using uPnP to add a port forward and it turns out my router kindly does not show uPnP added entries alongside user added ones, so from my point of view there was no remote acces, hence my lack of caring about an admin password. It sounds like you guys have changed some defaults now and also changed it to not allow remote access without a password. That sounds great, but can I check that these are retrospective changes applying to running systems, not just newly installed ones? My guess is not as I was up to date and I still got caught. Having since pulled my activity log from the database I actually feel a little sick going through finding events that were not me. I can see remote users accessing my content and have been for the last month. People even connecting their smart TV's to it. This has left me feeling really uneasy about my emby install, which at this point I am considering deleting to be certain they have not placed a malicious file in the system for a later date. That said I am not seeing a sane/easy way to backup current settings, so that may be slightly more annoying. What scares me the most about all of this is I work in the IT industry, I am a developer by trade and I had not noticed this nor prevented it. That tells me your average user is really going to struggle with this. I had not gone hunting through all the advanced settings looking for defaults like remote access. Feeling really unimpressed, especially since I pay for the premium service. Would appreciate your thoughts and some reassurance that this is being taken seriously as an issue. Thanks Craig

I have created multiple libraries targeted for different set of users. I have granted access to one or more libraries for a given user, and no access to other libraries. The libraries where the user has no access, are not available from his dashboard, however, a direct link to the library or a movie within the library, will allow the user access. Is this somehow possible to prevent? Regards Johannes

I'm trying to connect to the hosted web app through HTTPS, because Chromecast now needs it to work properly. I'm told to select my server, and it won't connect to it. I can connect to it just fine on HTTP. So, does anyone know what's wrong and how I fix it?

I just installed Emby on my Window 7 desktop with default settings. I'm using it to share my 23GB of music. I have 1 250 GB SSD (operating sysstem) and one 1 TB non-ssd hard drive (with the music), which I don't have a backup plan for right now. I've given a few of my friend the dynamic ip address (which doesn't seem to change) to use with their phone apps. I don't plan on using the server for much else. I'm worried Iv'e exposed mysyef to the internet. Would Emby connect be safer. It requires them to make an Emby account correct? How about a static IP address, different DNS, or NAS? Are 2 NAS disks in a NAS sufficient for periodic back up and serving?

I like Emby enough that I bought a premiere license a while back but after discovering what I believe is a major security hole I'm rethinking using the server. Media streams do not require authentication. Steps to reproduce (using version 3.4.1.0): Note: this example is using a video but the problem persists for all content types. Log into Emby from your browser (in this example, Chrome). Open the developer tools -> Network tab. Filter the traffic by "stream.mov". Play any video and you should see a GET request show up. Copy the entire "stream.mov" URL. Fully clear your browser. Paste in the copied URL. Bam, video downloads without any type of authentication. Users can copy & paste this link, allowing unauthenticated sharing. Since it's a GET request anyone can sniff the requested URL, regardless of HTTP/S, and grab whatever you're watching. After NomadCF's reply & more research I found the rest of the URL is not accessible over HTTPS. So this concern is void.I can't be the first to notice this. Suggestions welcome; No I can't force all users through a VPN.

English: Hello I suggest expanding the security: - user blocking function, 5 items (to be determined by the administrator) of consecutive incorrect logins - blocking the IP address (DDOS, Firewall), if for a period of 15 minutes (to be determined by the administrator) there will be an incorrect authorization (amount to be determined by the administrator) for 1 hour (to be determined by the administrator). IP addresses should be visible in the menu, it should be easy to clean the individual or all addresses, there should be a schedule for cleaning these addresses set by the administrator (for example: always Monday 1:00). Firewall in Windows (command block in php): shell_exec("netsh advfirewall firewall add rule name=EmbyServ_".$time."_".$ipp." profile=any dir=in action=block enable=yes remoteip=$ipp"); command no block in php: shell_exec("netsh advfirewall firewall delete rule name=..................); Polish: Witam Proponuję rozudowę security: Proponuję rozbudowę security: - funkcja blokowania użytkownika po 5 szt. (do ustalenia przez administratora) kolejnych nieprawidłowych logowań. - blokowanie adresu IP (DDOS, Firewall), jeśli przez okres 15 min (do ustalenia przez administratora) nastąpią nieprawidłowe logowania (ilość do ustalenia przez administratora) na okres 1 godziny (do ustalenia przez administratora). Adresy IP powinny być widoczne w menu, powinno być łatwe menu czyszczenia pojedynczych lub wszystkich adresów, powinien być harmonogram czyszczenia tych adresów ustalany przez administratora (always Monday 1:00). Firewall in Windows (command block in php): shell_exec("netsh advfirewall firewall add rule name=EmbyServ_".$time."_".$ipp." profile=any dir=in action=block enable=yes remoteip=$ipp"); command no block in php: shell_exec("netsh advfirewall firewall delete rule name=..................);

There have been a few posts around the Forum recently regarding SSL, HTTPS and Security. I'm by no means an expert on reverse proxies but have had alot of dealings with them over the past few months and with the help of @@pir8radio and @@shorty1483 have a fairly well setup and secure system to access my services from outside of my LAN. This guide is to help people access their Emby Server and any other services behind a reverse proxy. This is based on NGINX but it also works for Apache and IIS. So firstly, what is and why do i need a reverse proxy? If you’re like me and have many services running on servers or PCs in your home, i.e. Emby, Plex, Sonarr, Radarr, Ombi, Organizer, CP, home automation, CCTV and anything else. Then you have to open multiple ports on your router to direct traffic to where it needs to go. With a Reverse Proxy you only have to open 1 or 2 ports. Normally all HTTP traffic is sent over port 80 and HTTPS traffic over port 443. In my case I want all traffic served over HTTPS and port 443 so I close all ports bar 443. Another reason to use a reverse proxy is that you can use your own domain certs easily and fine tune your security settings. If you want to test your Domain security go here - https://securityheaders.io/ Chances are your rating will be an F. with reverse proxy you can easily attain a B+/A Grade. You can also setup a web faced server running NGINX and then have additional servers behind that hidden on your LAN, however if your like me I have NGINX running on the same machine as emby. I only access Emby remotely do i still need a reverse proxy? Difficult to answer. No you dont need a reverse proxy to access Emby, but if you do then you can fine tune the security. This guide assumes you have a Domain name, your own Certs to go with your domain name and either have your domain name pointed to a static PC (your home WAN IP) or have Dynamic DNS setup. Have I convinced you yet? I run Windows OS at home so this guide follows a Windows setup but the config will be the same across all OS. 1. Download the latest version of NGINX from here - http://nginx-win.ecsds.eu/ as of writing this guide its version 1.13.0.1 Violet. 2. Extract the ZIP file somewhere easy to find. C:\NGINX. a. To make future updating easier when you extract the ZIP the file is called nginx 1.13.0.1 Violet. Rename it to just NGINX. 3. Before we get started on the config of NGINX lets install it as a service. a. Download NSSM b. Extract the ZIP c. Copy correct x86 or x64 nssm.exe to C:\Windows\System32 d. Open a CMD, type ‘nssm install nginx’ e. Fill in the Application Path – C:\NGINX\nginx.exe Startup directory – C:\NGINX Service name – NGINX. Install Service Don’t Start the service yet, we need to configure NGINX. To create a config I use notepad++. I will go through each setting first before supplying a copy of my current config. This is how the config starts. worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## } This part is fairly standard. anything starting with # is disabled or just a comment. The config is broken down into blocks. the first block here is the HTTP block. The HTTP block contains all the headers required to do the work of the reverse proxy for example when someone browses to emby.mydomain.com it matches a header in NGINX and it knows where to forward the data. The only change in the section above over a default config is the addition of server_tokens off; this is the first of our security tweaks. This removes the version of NGINX from being visible outside your network and less chances of attackers being able to exploit version weaknesses. ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } This next block is called a server block and it nested inside the HTTP block. This block is optional, it is only used to redirect any users from HTTP to HTTPS if you want to force users on HTTPS only. listen 80 and listen [::] 80 are default ports for HTTP traffic for IPv4 and IPv6. return 301 https://$host$request_uri; is what rewrites the request from HTTP to HTTPS. Again only needed if you are forcing everyone to use HTTPS only. ##EMBY Server## server { listen 80; listen [::] 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNaUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } The next server block is where the magic happens. First the listen 80; and listen [::] 80; are only needed if you want to allow users to access your emby server on port 80. otherwise delete these 2 lines to force all users to HTTPS access. Listen 443 ssl; and listen [::] 443 ssl; are the default HTTPS ports again for IPv4 and IPv6. server_name emby.mydomain.com will be your subdomain and how you access emby from outside your network. Now lets look at the SSL certificates, for my setup I created a .pem file. this file contains both my cert, intermediate and CA root cert in one file. This link gives you an idea how to do it - https://www.digicert.com/ssl-support/pem-ssl-creation.htm you should now have your cert.pem and a private.key file. for simplicity copy these files to C:\NGINX\conf\SSL (you have to create the SSL folder) This tells NGINX where to find the certs. ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; For now I am going to skip over the #add_header Public-Key-Pins - as you can see i have it disabled by using # in front of it. I will explain why later on. The next section adds further security tweaks, you will need to change the content-security-policy domain names to your own. you need to list all your subdomains i.e. sonarr.mydomain.com radarr.mydomain.com emby.my....... you get the idea. add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; The next part is called the location block. This is what tells your domain name emby.mydomain.com where the data should go. In this case it forwards everything to proxy_pass http://192.168.10.10:8096 you can also forward to proxy_pass http://127.0.0.1:8096 if it runs on the same box as NGINX. the rest of the location block is default stuff to help the data get to where it is needed. Your Config should now look like the one below. we need to save it to C:\NGINX\conf and name it nginx.conf worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } And thats it, you can now start your NGINX services by running services.msc and starting NGINX.

Hello, In this thread: http://mediabrowser.tv/community/index.php?/topic/12014-large-library-causing-issues/page-1 it is mentioned the server logfiles are available on the internet without any form of authentication. @@ebr responds to this with: I have not changed anything in my site configuration, I've done a standard installation so the installer configured the webserver for me. I am able to open my logs folder over the internet without any authentication, so it seems to me Media Browser does this out of the box. To test it, use this link, but include your own hostname (or IP address) and logfilename. http://[HOSTNAME]:8096/mediabrowser/System/Logs/ http://[HOSTNAME]:8096/mediabrowser/System/Logs/log?name=[VALIDLOGFILENAME] Cheers, Danee

When I invite someone to my server and they link their emby connect account the password from their emby connect isn't the same as the one on the server. In fact, if they set no password on the server ANYONE can log into their account without any password and access all media on the server! Is this expected behavior? Seems completely insane to me! Why do I have to set passwords for users who already have passwords for their emby connect accounts? Is there a way to disable login without access to their emby connect account?

Definitions: Local refers to HTTP/unsecure External refers to HTTPS/secure For local use, I really see no reason to use passwords but for external use, passwords are critical to prevent anonymous access (only want a handful of people to access it, not the ~7 billion people on the planet). What I expected going into this is that only Emby Connect enabled accounts would show up through HTTPS and they would require the Emby Connect credentials to log in. What I got was the same as HTTP: click a name and you're in. So, what does Emby support now in terms restricting access to the world other than NAT routers and requiring all users to have password? If I have it about right, then consider this a feature request (probably should move it to Feature Request forum).

Two-step verification (preferably using 3rd party options, such as Google) for signing into server from outside the home network. How feasible would this be? edit: Pardon the typo in the title; can't figure out how to correct it.

Hi, I currently use emby on a windows server as an internal MediaCenter with Emby for WMC client. 2 users are created - 1 for my kids without any password allowing them to access easily to all the stuff they like through the remote command + TV - 1 for parents with a very simple numeric password that we can enter with the remote control. The idea is to disallow kids to watch films and series that are not for their age Today, I would like to active external access to let friends access my media library from the internet. So I activated Emby Connect which works great. But, as I entered a nat rule in my internet box, It opens access to my server from the outside. So anyone that scan my IP and tries port 8096 is able to access my medias through my kid unrotected user ou through the very simple parent user password. So, I would like to use emby connect but to disallow direct http access on my external public IP adress with kids and parents user (that I still need to be viewable from emby for WMC client. I do not want to enter manually login/pass from my remote commande . Is it possible ? Other Idea : Today, When I use TeamViewer, I do not need to open any incoming nat rule on my internet box to connect my PC from the outside. I do not know how it works but I suppose that my PC has a permanent outgoing https connection to teamviewer cloud that, then, let me connect to it. Would it be possible to have this kind of functionnality in emby ? Emby server would have a permanent connection to the emby cloud that would let emby connect users to connect it. On the other hand, it would not let direct http access on 8096 port for other users ... Thanx

I've seen than in "Manage Server > Help > Logs" , where the Logs list can be found... each one can be read and downloaded, OK so far. The problem is: the generated URL's create a persistent authentication-bypass where anyone with that url can directly read this and other logs (simply varying the incremental number) Example: https://www.mydomain.com:8920/emby/System/Logs/Log?name=server-63597366821.txt&api_key=72ef32b64a3c3486842c519dcc75a06e I modified the api_key here in this topic on purpose... or else anyone here would be allowed to download my logs. The problem: your browsing URL can be seen in a different number of places (cumulatively): - Your local computers, by other users - A network proxy, if you´re accessing from an office (any IT employee there) - Your ISP, that in other case would not have that kind of information about your server (any IT employee there) - NSA (everyone there) So... is it possible that the API_KEY will be hidden and a POST header (session-based) used, instead? Thanks!

This is a very serious security bug: 1. Downloaded stable Version 3.0.5882.0 (Windows 7) 2. Go through setup. I already had an account created with Emby therefore added my email address and approved in email. 3. Was asked to create a user (User1) in one of the next steps. 4. Setup libraries, setup https access (all through remote access software) 5. Now to the bad part - to my extreme surprise, when I went to my external address (keep in mind I am not even at my house while setting this up) and I have never logged on to Emby before from this computer, to my surprise I am presented with "User1" big button in the middle and there is no password required to manage entire library! How in the world the Admin user is accessing through external address and allow user account to manage without a password? P.S. Of course I have added password and edited account to be removed from the login screen, however not everyone without the knowledge would ever be able to know that they just exposed their media administrator to the entire world who can delete entire library with a few button clicks.

Hi everyone. Instant Emby fan and new Member here. As a network geek, I wanted to ask about port forwarding and security concerns in general. I'm a little uneasy about punching holes in my home firewall and wanted to know if others have run into similar concerns, and what they've done about it. As a former Plex user, one thing I liked was that I didn't have to port forward anything...being away from home I could still log into my Plex library just fine. I don't know how they achieve this btw, maybe via proxy or a reverse connection to the client? But in Emby, I can't access my library without forwarding TCP port 8096. So...here are my questions: 1) Anybody feel the need to change the default Emby port to something else for security reasons? If so, anyone have any issues doing so? 2) I tried using TCP port 8920 for https connectivity and couldn't get my Android client app to connect. Normal http connections over 8096 work just fine. Any one else having this issue? Thanks.

I don't know if it were the intended behavior. But the IPTV Channel (Video Bookmarks) Plugin allows an administrator to add an IPTV feed. But, no other user can see the feed, only the administrator. Since you can only add feeds from the admin back-end, then no user besides the administrator can ever use the plugin. Am I correct in arriving to this conclusion? In any sense, if I am correct on this plugin's behavior, I went ahead and removed the user_id parameter from the .cs file where the query is made. I compiled it and uploaded it to my instance of emby-server and so far it's working great. If this is something anyone might be interested, I can do a pull request on the Github repo to submit my change. Or if there is a more appropriate place to upload my code changes, I can do that as well. edit for grammar

Emby connect appears to limit the max length of a password to less characters than the forum does despite using the same username/email address. Please remove the character limit on the Emby Connect login or at least increase it to be the same or greater than the forum.

Version 3.0.5482.4 I removed devices from my server on version 4000, and no devices would get re-populated in the list. I see the devices listed in the security area with an api key. I just dont see them repopulating in the devices area of the server, which limits me to not being able to assign users to certain devices. Is there any server file I could delete to get the devices to start filling in again.

Hi everyone, I would like to be able to configure the Emby server running on my PC to allow only specific users to access it and serve media. I can't seem to find any settings or config to do this. For example, if someone (a guest) logs into our home network via our wireless router, I don't want them to see the Emby server on our network or if they see it, not be able to access any of the media. Currently they can, even if they don't have a login for the network or the PC that has the Emby server running on it. I find that a little strange for default behavior. I have private pictures and videos and I don't want business guests that come to our home for meetings to be able to see the server. Thanks.

I just noticed in Emby 3.0.7013.4 (latest beta) that using webclient for server administratior or media playback, when the user logs out if you clic on "Manual Login" the last user username but more importantly also he password are already filled. I'm not sure if this was the same no previous versions or not. This might pose a security risk in the scenario that the last logged user was a server administrator but it will also have other implications and risks when you use different users for parental control or library access. The issue is more evident if you only use manual login for all your users (hidding them from the login page). Repro steps: Login with any username in the webclient Logout using the logout button. The webclient will return to the login screen. Clic on "Manual Login" and you will see the user credentials of the last logged user already filled in, including it's password. Clic on "Log In" and it will go ahead and log you in with the last user credentials. Thanks.

Hello, I noticed once in Firefox browser watching video, right click on video brings submenu offering various options, including “Copy video location” and “Email video” (Chrome has “Copy video URL”) Anyway, once you copy the link and email it to anybody they can access the video without authentication. Is it possible to change this and make a video more secure? The example of the direct link that bypass user’s authentication: http://myip.address.com:8096/Videos/0582de1364832564a1da425fb501f01d/stream.mp4?Static=true&mediaSourceId=0582de1364832564a1da425fb501f01d&api_key=81c0f4041be1491aa5316052d589c6fd Regards