obsidian-security-basics

# Obsidian Security Basics ## Overview Security practices for Obsidian plugin development. Plugins run with full vault filesystem access and can make arbitrary network requests inside Electron. Responsible development requires protecting credentials, sanitizing external data, validating URI handlers, minimizing permissions, and following Obsidian's plugin guidelines to avoid community submission rejection. ## Prerequisites - Obsidian plugin development environment - Understanding that `.obsidian/plugins/<id>/data.json` is synced by cloud services - Awareness of [Obsidian Plugin Guidelines](https://docs.obsidian.md/Plugins/Releasing/Plugin+guidelines) ## Instructions ### Step 1: Credential Storage — Never in data.json Plugin settings (`data.json`) live inside the vault and are synced by iCloud, Dropbox, Obsidian Sync, and Git. API keys stored here are effectively public. ```typescript // BAD: API key stored in plugin settings (synced to cloud, committed to Git) interface BadSettings { apiKey: string; // This ends up in .obsidian/plugins/my-plugin/data.json } // GOOD: Use Electron's safeStorage for desktop (encrypted at OS level) import { Platform } from 'obsidian'; export class SecureStorage { private plugin: Plugin; constructor(plugin: Plugin) { this.plugin = plugin; } async storeSecret(key: string, value: string): Promise<void> { if (Platform.isDesktopApp) { // Electron's safeStorage uses OS keychain (Keychain on macOS, DPAPI on Windows) con...