GetReal Consent Form - Security Audit Checklist

Document Version: 1.0 Last Updated: 2025-11-07 Prepared By: Testing & Documentation Agent Purpose: Pre-deployment security and quality assurance checklist

📋 How to Use This Checklist

1. Pre-Deployment: Run through ALL sections before deploying to production
2. Testing Environment: Perform tests on staging/local first
3. Sign-Off Required: Every checkbox must be verified before production deploy
4. Documentation: Record findings in audit log (create audit-log-YYYY-MM-DD.md)

1. Environment Configuration

Production Environment Variables

• PUBLIC_DOCUSEAL_TEMPLATE_PROLIFIC set in production .env

  • Verify: Template ID is correct for Prolific participants
  • Command: echo $PUBLIC_DOCUSEAL_TEMPLATE_PROLIFIC (should return template ID)

• PUBLIC_DOCUSEAL_TEMPLATE_RECRUITEE set in production .env

  • Verify: Template ID is correct for Recruitee participants
  • Command: echo $PUBLIC_DOCUSEAL_TEMPLATE_RECRUITEE

• PUBLIC_DOCUSEAL_API_URL points to production backend

  • Expected: https://api.yourpersonalai.net/create-submitter
  • Command: echo $PUBLIC_DOCUSEAL_API_URL
  • Test: curl -X POST $PUBLIC_DOCUSEAL_API_URL (should return 400/401, not 404)

• No hardcoded secrets in source code

  • Verify: Run git grep -i "api_key\|secret\|password\|token" src/pages/getreal/
  • Expected: No matches in committed files
  • Note: Secrets must ONLY be in .env (gitignored)

• .env file is NOT committed to version control

  • Verify: .env is in .gitignore
  • Command: git check-ignore .env (should return .env)

2. Security Controls

Input Validation

• PID validation tested

  • Test cases:
    • Valid PID: 5f8d7a3b → ✅ PASS
    • Too short: ab → ❌ FAIL
    • Too long: 65 characters → ❌ FAIL
    • Invalid chars: test@user → ❌ FAIL
    • XSS attempt: <script>alert(1)</script> → ❌ FAIL
  • Command: node --test src/pages/getreal/__tests__/consent.test.js

• Email validation tested

  • Test cases:
    • Valid email: [email protected] → ✅ PASS
    • Consecutive dots: [email protected] → ❌ FAIL
    • Leading dot: [email protected] → ❌ FAIL
    • Trailing dot: [email protected] → ❌ FAIL
    • Too long: 255+ characters → ❌ FAIL
    • XSS attempt: <script>@example.com → ❌ FAIL
  • Command: node --test src/pages/getreal/__tests__/consent.test.js

• XSS prevention verified

  • Test: Submit form with <script>alert(1)</script> in PID/email
  • Expected: Rejected by validation (never reaches backend)
  • Verify: No innerHTML usage in code (use textContent instead)

• SQL injection prevention verified

  • Test: Submit form with '; DROP TABLE users; -- in PID/email
  • Expected: Rejected by validation
  • Note: Backend should use prepared statements (not tested here)

Rate Limiting

• Rate limiting tested (5 attempts per 60 seconds)
  • Test 1: Make 5 rapid form submissions
    • Expected: All 5 allowed
  • Test 2: Make 6th attempt immediately
    • Expected: Blocked with “Try again in X seconds” message
  • Test 3: Wait 61 seconds, try again
    • Expected: Allowed (rate limit reset)
  • Command: Manual testing (see script below)

// Run in browser console on /getreal/consent page
async function testRateLimit() {
  for (let i = 1; i <= 6; i++) {
    const response = await fetch('/api/create-submitter', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
        template_id: 1228886,
        prolific_pid: `test-${Date.now()}`,
      }),
    });
    console.log(`Attempt ${i}:`, response.status, await response.text());
    await new Promise((r) => setTimeout(r, 1000)); // 1s delay
  }
}
testRateLimit();

Network Security

• Fetch timeout tested (15 seconds max)

  • Test: Simulate slow backend (use network throttling in DevTools)
  • Expected: Request aborts after 15s with timeout error
  • DevTools: Network tab → Throttling → Slow 3G

• HTTPS enforcement verified

  • Production URL: https://yourpersonalai.net/getreal/consent
  • Verify: HTTP redirects to HTTPS
  • Command: curl -I http://yourpersonalai.net/getreal/consent (expect 301/302)

• CORS headers verified (backend)

  • Test: Check API response headers
  • Expected: Access-Control-Allow-Origin: https://yourpersonalai.net
  • Command: curl -I -X OPTIONS $PUBLIC_DOCUSEAL_API_URL

3. Error Handling

Network Errors

• Offline detection tested

  • Test: Disable network, submit form
  • Expected: “You appear to be offline. Please check your connection.” message
  • DevTools: Network tab → Offline checkbox

• Network timeout tested

  • Test: Enable Slow 3G throttling, submit form
  • Expected: “Request took too long. Please try again.” after 15s
  • DevTools: Network tab → Throttling → Slow 3G

Backend Error Responses

• 400 Bad Request handled

  • Test: Submit invalid JSON to backend
  • Expected: User-friendly error (not raw JSON)
  • Command: curl -X POST $PUBLIC_DOCUSEAL_API_URL -d 'invalid'

• 401 Unauthorized handled

  • Expected: “Unauthorized access. Please contact support.”

• 403 Forbidden handled

  • Expected: “Access denied. Please use the link from your coordinator.”

• 404 Not Found handled

  • Test: Submit request to non-existent endpoint
  • Expected: “Service unavailable. Please try again later.”

• 500 Internal Server Error handled

  • Expected: “Server error. Our team has been notified.”

• No stack traces exposed to users

  • Verify: All error messages are user-friendly
  • Check: Console logs do NOT contain Error: ... at line X

Duplicate Submission Prevention

• Duplicate submission blocked
  • Test: Submit same PID/email twice rapidly
  • Expected: Second submission rejected OR deduplication on backend
  • Note: Document which layer handles deduplication (frontend/backend)

4. Privacy & Data Protection

PII Handling

• Email masking in console logs verified

  • Test: Submit form with email [email protected]
  • Check console: Should log j***@example.com (not full email)
  • Command: Open DevTools Console, check logs during submission

• No PII in error messages

  • Verify: Error messages do NOT contain:
    • Full email addresses
    • Full PIDs
    • IP addresses
    • User agent strings

• sessionStorage cleared on completion

  • Test: Complete form, check sessionStorage
  • Expected: No PID/email stored
  • DevTools: Application → Storage → Session Storage

• No sensitive data in URL after redirect

  • Test: Complete form, check final URL
  • Expected: URL does NOT contain email/PID in plaintext
  • Example: ?id=abc123 ✅ OK | [email protected] ❌ FAIL

GDPR Compliance

• Data minimization verified

  • Verify: Only collect necessary data (PID OR email, not both)
  • Check: DocuSeal form only requests required fields

• Right to be forgotten process documented

  • Document: How users can request data deletion
  • Location: PRIVACY-POLICY.md or equivalent

• Data retention policy defined

  • Document: How long consent forms are stored
  • Recommendation: 7 years for legal compliance (research studies)

5. Accessibility (WCAG 2.1 AA)

ARIA & Semantic HTML

• ARIA labels on progress indicators

  • Verify: role="progressbar" with aria-valuemin, aria-valuemax, aria-valuenow
  • Command: Inspect element #cgScrollProgress

• Screen reader announcements tested

  • Test: Use NVDA/JAWS to navigate form
  • Expected: Loading states and errors announced
  • Attribute: role="status" aria-live="polite" on status element

• Keyboard navigation tested

  • Test: Tab through entire form without mouse
  • Expected: All interactive elements reachable
  • Check: Focus indicators visible on all buttons/links

Color Contrast

• Color contrast verified (4.5:1 minimum for text)

  • Tool: Chrome DevTools → Elements → Accessibility pane
  • Test cases:
    • Error text (#EF4444) on dark background
    • Button text (#FFFFFF) on purple gradient
    • Status text (#FFFFFF 80%) on glass card
  • Tool: WebAIM Contrast Checker

• Focus indicators visible

  • Test: Tab through form, check focus rings
  • Expected: Visible outline (minimum 2px)
  • Check: :focus styles in CSS

6. Performance

Memory Leaks

• Memory leaks tested (Page Visibility API)

  • Test 1: Load page, switch to another tab for 5 minutes
    • Expected: Background timers paused (check Chrome Task Manager)
  • Test 2: Return to tab
    • Expected: Timers resume, no duplicate timers
  • DevTools: Performance → Memory tab

• Event listeners cleaned up

  • Test: Inspect window event listeners before/after form completion
  • Expected: No orphaned listeners
  • DevTools: Console → getEventListeners(window)

Network Performance

• No excessive network requests

  • Test: Monitor network tab during form load
  • Expected: ≤5 requests (HTML, DocuSeal script, backend API, fonts)
  • DevTools: Network tab → Filter: All

• API request deduplication

  • Test: Rapidly click submit button 10 times
  • Expected: Only 1 backend request sent (button disabled after first click)

7. UX Testing

Scroll Tracking

• Scroll tracking tested (desktop)

  • Test: Scroll through form slowly
  • Expected: Progress bar updates (0% → 100%)
  • Expected: “Scroll to sign” button visible until 95% scrolled

• Scroll tracking tested (mobile)

  • Test: Repeat on mobile viewport (375x667)
  • Expected: Same behavior as desktop
  • DevTools: Toggle device toolbar → iPhone SE

Completion Reminder

• Completion reminder tested (15-second delay)
  • Test: Load form, wait 15 seconds without scrolling
  • Expected: Reminder appears: “Almost there! Please scroll down to sign.”
  • Expected: Reminder disappears after scrolling to bottom

Form Submission Flow

• Prolific flow tested

  • URL: /getreal/consent?prolific_pid=test123
  • Expected: DocuSeal form loads with PID pre-filled
  • Expected: On completion, redirects to /getreal/video-redirect?prolific_pid=test123&source=Prolific

• Recruitee flow tested

  • URL: /getreal/[email protected]
  • Expected: DocuSeal form loads with email pre-filled
  • Expected: On completion, redirects to /getreal/[email protected]&source=Recruitee

Redirect After Completion

• Redirect URL format verified
  • Expected format: /getreal/video-redirect?<identifier>&source=<Prolific|Recruitee>
  • Test: Complete form, inspect final URL
  • Note: Backend returns redirect URL, frontend does NOT construct it

Retry Button

• Retry button tested
  • Test: Trigger error (e.g., invalid PID), click “Try Again”
  • Expected: Form reloads, error cleared

8. Browser Compatibility

Desktop Browsers

• Chrome/Edge tested (Windows 11)

  • Version: Latest stable
  • Test: Full flow (load → validate → submit → redirect)

• Firefox tested (Windows 11)

  • Version: Latest stable
  • Test: Full flow + scroll tracking

• Safari tested (macOS)

  • Version: Latest stable
  • Note: Test backdrop-filter, -webkit-backdrop-filter

Mobile Browsers

• iOS Safari tested (iPhone 12+)

  • Test: Full flow + touch scroll + completion reminder

• Chrome Android tested (Pixel 5+)

  • Test: Full flow + responsive layout

Compatibility Issues

• Polyfills verified (if needed)
  • Check: fetch, URLSearchParams, Promise support
  • Tool: Can I Use

9. Integration Testing

DocuSeal Embedding

• DocuSeal form embedding tested

  • Test: Form loads inside .cg-form-wrap container
  • Expected: <docuseal-form> element created with correct data-src

• DocuSeal script loaded

  • Verify: https://cdn.docuseal.com/js/form.js loads successfully
  • DevTools: Network tab → Filter: JS → Check script status 200

• Form completion event tested

  • Test: Complete DocuSeal form (sign)
  • Expected: JavaScript completed event fires
  • Check console: Should log “Form completed: “

Backend API Integration

• Backend API tested (create submitter endpoint)

  • Endpoint: POST /create-submitter
  • Test payload:

    {
      "template_id": 1228886,
      "prolific_pid": "test123",
      "source": "Prolific",
      "completed_redirect_url": "/getreal/video-redirect?prolific_pid=test123&source=Prolific"
    }
    

  • Expected response:

    {
      "ok": true,
      "slug": "abc123xyz",
      "redirect_url": "/getreal/video-redirect?prolific_pid=test123&source=Prolific"
    }
    

• API error responses handled

  • Test: Send invalid payload (missing template_id)
  • Expected: Backend returns 400, frontend shows error

Email Pre-fill (Recruitee)

• Email pre-fill tested
  • URL: /getreal/[email protected]
  • Expected: DocuSeal form has email field pre-filled
  • Attribute: data-email="[email protected]" on <docuseal-form>

PID Parameter (Prolific)

• PID parameter tested
  • URL: /getreal/consent?prolific_pid=5f8d7a3b
  • Expected: Backend receives PID in request body
  • Expected: DocuSeal form does NOT show PID field (hidden via CSS)

10. Production Readiness

Code Quality

• Debug logging disabled

  • Verify: CONFIG.debug = false in production build
  • Command: grep "debug: true" src/pages/getreal/consent.astro (should return nothing)

• Console errors checked

  • Test: Load page in production, open DevTools Console
  • Expected: No errors (red messages)
  • Warnings: Acceptable if not security-related

• TypeScript errors resolved (if applicable)

  • Command: npm run build
  • Expected: No type errors

Performance Metrics

• Lighthouse score checked
  • Tool: Chrome DevTools → Lighthouse
  • Test: Run audit on /getreal/consent?prolific_pid=test123
  • Target scores:
    • Performance: ≥90
    • Accessibility: ≥95
    • Best Practices: ≥95
    • SEO: ≥90
  • Command: npm run test:lighthouse:mobile (if configured)

Error Tracking

• Sentry configured (or equivalent)

  • Verify: Error tracking DSN in production .env
  • Test: Trigger error, check Sentry dashboard for event

• Error alerting tested

  • Test: Submit form with backend down
  • Expected: Error logged to Sentry with context (PID masked)

Analytics

• Analytics configured (if needed)
  • Tool: Google Analytics, Plausible, or similar
  • Events to track:
    • Form loaded
    • Form completed
    • Errors encountered
  • Privacy: Ensure no PII tracked

11. Security Headers (Backend)

Note: These are backend responsibilities, verify with backend team.

• Content-Security-Policy header set

  • Expected: Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.docuseal.com
  • Command: curl -I https://api.yourpersonalai.net/create-submitter

• X-Content-Type-Options header set

  • Expected: X-Content-Type-Options: nosniff

• X-Frame-Options header set

  • Expected: X-Frame-Options: DENY or SAMEORIGIN

• Strict-Transport-Security header set

  • Expected: Strict-Transport-Security: max-age=31536000; includeSubDomains

• Referrer-Policy header set

  • Expected: Referrer-Policy: strict-origin-when-cross-origin

12. Documentation

• README updated with setup instructions

  • Include: Environment variables, development setup, testing

• API documentation complete

  • Document: Backend endpoints, request/response schemas

• Privacy policy updated

  • Include: What data is collected, how it’s used, retention period

• Incident response plan documented

  • Include: What to do if data breach, contact points

13. Deployment Checklist

Pre-Deployment

• All checklist items above completed
• Code reviewed by security team
• Penetration testing completed (if required)
• Legal approval obtained (consent form text)

Deployment

• Deploy to staging first
• Run full test suite on staging
• Monitor error logs for 24 hours
• Deploy to production (off-peak hours)

Post-Deployment

• Smoke test production URL
• Monitor error rates (Sentry dashboard)
• Check analytics (form completion rate)
• Document any issues in incident log

14. Rollback Plan

Trigger Conditions

• Rollback if any of these occur:
  • Error rate >5%
  • Form completion rate drops >20%
  • Security vulnerability discovered
  • Data leak detected

Rollback Steps

1. Notify stakeholders (Slack #engineering)
2. Revert to previous deployment
3. Verify old version is working
4. Post-mortem analysis within 48 hours

15. Sign-Off

Testing Team

• Security Audit: Passed ✅ / Failed ❌
  • Auditor: ___
  • Date: ___
  • Notes: ___

Product Team

• UX Testing: Passed ✅ / Failed ❌
  • Tester: ___
  • Date: ___

Engineering Team

• Code Review: Passed ✅ / Failed ❌
  • Reviewer: ___
  • Date: ___

Deployment Approval

• Production Deployment: Approved ✅ / Blocked ❌
  • Approver: ___
  • Date: ___
  • Deployment Time: ___

Appendix: Testing Scripts

Rate Limit Test Script

// Run in browser console on /getreal/consent page
async function testRateLimit() {
  const pid = `test-${Date.now()}`;
  for (let i = 1; i <= 6; i++) {
    const response = await fetch('https://api.yourpersonalai.net/create-submitter', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
        template_id: 1228886,
        prolific_pid: pid,
        source: 'Prolific',
        completed_redirect_url: '/getreal/video-redirect',
      }),
    });
    const data = await response.json();
    console.log(`Attempt ${i}:`, response.status, data);
    await new Promise((r) => setTimeout(r, 1000)); // 1s delay
  }
}
testRateLimit();

XSS Test Payloads

// Test in browser console
const xssPayloads = [
  '<script>alert("XSS")</script>',
  '<img src=x onerror=alert(1)>',
  'javascript:alert(1)',
  '<svg/onload=alert(1)>',
  '"><script>alert(1)</script>',
];

xssPayloads.forEach((payload) => {
  const url = `/getreal/consent?prolific_pid=${encodeURIComponent(payload)}`;
  console.log('Testing XSS:', url);
  // Open in new tab and verify error message shown (payload not executed)
});

SQL Injection Test Payloads

const sqlPayloads = ["'; DROP TABLE users; --", "1' OR '1'='1", "admin'--"];

sqlPayloads.forEach((payload) => {
  const url = `/getreal/consent?prolific_pid=${encodeURIComponent(payload)}`;
  console.log('Testing SQL injection:', url);
  // Verify payload rejected by validation
});

End of Checklist

Revision History

Related Documents

• Unit Tests: src/pages/getreal/__tests__/consent.test.js
• Privacy Policy: PRIVACY-POLICY.md (TODO)
• API Documentation: API-DOCUMENTATION.md (TODO)
• Incident Response Plan: INCIDENT-RESPONSE.md (TODO)