As for SQL Injection -- we don't use SQL, so there's no risk of that. We also take care to not blindly pass in whatever the user passes in, and use a library that automatically sanitizes anything a user sends in. Again, that is another component (node_redis) that is maintained elsewhere, and is subject to much more rigorous scrutiny than NodeBB itself is.
Since we are not using MySQL and using Redis, do we have a provision of taking BACKUP of the redis database!?