Does Module Zero have built-in CSRF prevention or is this outside the scope of Module Zero?
I noticed there is a "ASP.NET_SessionId" cookie. Is module zero making use of ASP.NET Sessions? Is it possible to turn this off?
Is there any reason that you didn't make use of T4 templates to generate classes and interfaces for the localization? It would mean users could use auto-complete, intelli-sense and get compile-time errors when using string localization, instead of run-time errors when it can't find a matching string?
Also, could be used to warn / error at compile-time if there are missing translations.
It can also be used in a similar way for app settings, connection strings and other configuration.