chore: root commit of OWSAP security testing/tightening

tests-results-for-OWASP/evidence-log-template.md

@@ -0,0 +1,70 @@
+# OWASP Verification Evidence Log Template
+
+## Run metadata
+
+- Date:
+- Environment: `local` | `staging` | `production`
+- App/API version (git SHA):
+- Operator:
+
+## Environment flags
+
+- `NODE_ENV`:
+- `AUTH_DISABLED`:
+- `ALLOW_INSECURE_AUTH_FOR_DEV`:
+
+## Commands executed
+
+1.
+```bash
+# command
+```
+Output summary:
+
+2.
+```bash
+# command
+```
+Output summary:
+
+3.
+```bash
+# command
+```
+Output summary:
+
+## Results
+
+- A01 protected route unauthenticated check: `pass` | `fail`
+- A01 spoofed header check: `pass` | `fail`
+- A01 admin rollover exposure check: `pass` | `fail`
+- A01 automated suite (`auth` + `account-delete` + `admin-rollover`): `pass` | `fail`
+- A02 dedicated suite (`security-misconfiguration`): `pass` | `fail`
+- A03 dedicated suite (`software-supply-chain-failures`): `pass` | `fail`
+- A04 dedicated suites (`cryptographic-failures*`): `pass` | `fail`
+- A05 dedicated suite (`injection-safety`): `pass` | `fail`
+- A06 dedicated suite (`insecure-design`): `pass` | `fail`
+- A07 dedicated suites (`auth.routes` + `identification-auth-failures`): `pass` | `fail`
+- A08 dedicated suite (`software-data-integrity-failures`): `pass` | `fail`
+- A09 dedicated suite (`security-logging-monitoring-failures`): `pass` | `fail`
+- A10 dedicated suite (`server-side-request-forgery`): `pass` | `fail`
+- Non-DB security suite (`SECURITY_DB_TESTS=0`): `pass` | `fail`
+- DB security suite (`SECURITY_DB_TESTS=1`): `pass` | `fail`
+
+## Findings
+
+- New issues observed:
+- Regressions observed:
+- Follow-up tickets:
+
+## Residual Risk Review
+
+- Reviewed `residual-risk-backlog.md`: `yes` | `no`
+- Items accepted for this release:
+- Items escalated/blocked:
+
+## Sign-off
+
+- Security reviewer:
+- Engineering owner:
+- Decision: `approved` | `blocked`