credit 

So . . . . last night I asked a question (https://steemit.com/steemit/@mark-waser/ignorant-but-hopefully-not-stupid-developer-question-or-maybe-it-s-a-suggestion), raised by Ned's idea for a Steem Bounty System (https://steemit.com/bounties/@ned/it-s-time-for-a-steem-bounty-system),  better phrased as 

"What are the best practices for websites needing users to perform Steem operations that require their personal keys?"  

The last thing anyone here should do is to give their keys to some random

At that time, I was thinking about something similar to how PayPal receives payment requests or Facebook and others handle OAuth2 requests -- but that would require additional Steemit development to allow and handle such requests . . . . 

After I received no usable answers (though several good tries, thank you!), I started digging through some of the source code . . . . discovered the answer to my own question and figured that I would share it.

The best practice for websites needing users to perform Steem operations requiring personal keys is to have client-side javascript perform them

Client-side javascript can be inspected to ensure that no keys ever leave the users' machines.  Creating the javascript code for actually performing the operations is a relatively straight-forward task if one builds upon the functions made available by @Fabian (https://steemit.com/@fabien) on GitHub (https://github.com/adcpm).

   credit