Version 4: Resolution of security (pen test) findings, dependancy vulnerabilities and other small updates

[SiCoe]

This pull request major version bumps master to version 4.

Note: all major updates have already been reviewed to get into this v4 branch.

Changes

• HTML encoding template replacements to avoid potential cross-site scripting issue.
  • It was found that the _callback page utilized in the authorization flow reflects potentially dangerous user input, though there a number of caveats to this that prevented the successful execution of meaningful attacks such as XSS and HTML Injection.
• Setting SameSite cookie attribute to strict.
  • SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks.
• Setting Secure cookie attribute.
  • If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.
• Update npm dependencies to remove vulnerabilities.
  • All npm audit vulnerability severities removed by updating referenced versions.
• Update returned footer information to reference this repository instead of upstream.
• Include testing against nodejs v18 (current latest nodejs version for Lambda@Edge).