Thank you for asking this question, this is indeed important as the plugin ecosystem grows. In general, when it’s about security with plugins, there are 2 different cases:
- Stuff that the plugin builder needs to do to make sure the API credentials, etc. are secure
- Stuff the application building needs to do to make sure their users’ data/credentials are secure
The general rule is this.
-
If the data/credential to be secured is hardcoded in the app by the application builder, the plugin builder needs to make sure these keys are marked as secure in the plugin editor. So this applies to API keys and keys as defined in the Shared tab. So for instance, if when using a plugin, the user enters his key in the Property Editor for an action, that means the setting isn’t right. It should be a key and made secret, and defined by the application builder in the Plugins Tab.
-
If the data to be kept secured is user-dependent, the responsibility here is on the application builder, and they need to make sure they have the right privacy rules in place to make sure the data isn’t exposed to the wrong user. The plugin builder here doesn’t have to do much when building the plugin, the property on the action, for instance, does not have the concept of private/public.
I hope this is more clear, happy to elaborate more if this isn’t clear yet.