Check that all mutations are done Get-Post-Redir with csrfToken

[nkuehn]

Before releasing a 1.0 it would be reassuring to have done a review that the security related patterns like e.g. csrf and HTTP flow via get-post-redirect are consistently done in all places, especially the checkout.

maybe other important security related reviews, too?

[lauraluiz]

This is for sure done everywhere. There is a CSRF filter that forces the token everywhere and Sunrise forces to deal with what happens in case of success on the form handling, which by default in Sunrise Starter is redirection. I will anyway leave this open to do a last check when the time comes.

Looking forward suggestions on other security checks :)

[nkuehn]

quite a while ago partner pointed out to me that there's a place in the checkout that does not do get-post-redirect. But that's long ago.

This was really just intended as a pre-1.0 reminder. Releasing with obvious security holes is a pretty nice PR desaster.