Hello dotnet!

I’ve done some good bit of coding making a plugin architecture in an asp mvc application. I have plugins dynamically loading and extending areas on the pages etc. Etc.

I’m planning on making a system that’s built around these plugins, along with having third party plugins in a repository that the user can choose to include in their system - much like word press!

What are some security measures I should take to ensure a plugin doesn’t have too much knowledge of the environment?

So far I’ve managed to do / look at:

• embedding the config file for each plugin into its assembly so every plugin can have an individual configuration (their own connection strings etc. ) just so this file isn’t available on the file system
  • I’m looking at ways to encrypt this.
• only plugins of the owning assembly can decrypt / view the configuration file
• obfuscation of the plugin DLL just to make it that little bit harder.
• plugins only initialise using my own plugin initialiser framework, and not using the asp app builder etc.

What I know is security concern but have no idea if or how it is possible: - restricting the plugin from reading environment variables of the server

Any others you could add to the list?

Thanks all