Testing: Extensive vulnerability checks

[ezrichards]

We need to extensively test the site for vulnerabilities.

I've looked mainly into SQL injection potentially so far, and we should continue to look into this. A lot of our queries are "static" and have no user fields going directly into them, but some do.

In order to feel comfortable about vulnerabilities on the final product, we should investigate/verify:

• SQL injection (and "sanitation" on the backend)
• Image uploading edge cases (which should be covered, but it doesn't hurt to test again)
• Script injection in frontend JS fields
• Cross site scripting (helmet should prevent against this, but again we need to test)
• Stress testing
• Any other things

These may not necessarily have PRs associated with them, but we should have discussions about all of these things if possible.

[ezrichards]

We should also ensure that admin sessions are deleted when admins are edited.

This is pretty hard to test locally (as we only have access to one mines account), so we can test in prod before we release.

[ezrichards]

We might want to ask OreSec to penetration test too