Basic internal security review of the US PFT codebase

[eloquence]

As part of the open source release (and also generally as a good internal practice), we should perform a basic internal security review of this codebase against common web application vulnerabilities in the main codebase or its dependencies; @conorsch also suggested doing so. @emkll I would suggest that we allocate some of your time for this.

[conorsch]

We've gone through a similar process already prior to open-sourcing the SDO repo (https://github.com/freedomofpress/securedrop.org/). SInce this repository will become public, we'll be sparse on the details in this ticket itself, but I'll share some documentation with team members about next steps to coordinate the review.

[conorsch]

Update: we've audited the repo history, and cleaned up a few discussion threads that had sensitive info in them. There are still some outstanding tasks prior to pulling the lever, tracked in https://github.com/freedomofpress/tracker/milestone/1

[harrislapiroff]

@conorsch feel free to close this issue if you think the security audit aspects are complete!

[conorsch]

Yes, satisfied with the review we've performed. Thanks, all.