I am creating a web app using hapi.js that allows users to upload images. I am validating the uploaded images in both the client and server to only allow .jpg/.jpeg, .png, and .gif files. However, I am new to web application security and when it comes to image sanitization I am a bit lost.

I am trying to follow these OWASP Upload Verification guidelines:

• Use image rewriting libraries to verify the image is valid and to strip away extraneous content.
• Set the extension of the stored image to be a valid image extension based on the detected content type of the image from image processing (e.g. do not just trust the header from the upload).

These are my questions:

• Can I simply run each uploaded image through a package like sharp and the rewriting process will remove any embedded code? The author of sharp has made a brief comment on security, but I still don't understand what the possible security issues are or how to handle them.
• I have read comments that say that reading bytes into a Buffer cannot execute malicious code. If I were to input a file into sharp as a Buffer object, would that remove any malicious code and eliminate the possible security issues?
• Do I need to run the uploaded images through an antivirus scan (like clamscan or node-virustotal or Web Exploit Detector)? If yes, would I need to run the images through a scan before or after I run the images through an image processor or should I do the scan with no image processing?

I would really like to understand web application security better (especially for Node apps), so any direction you can give me on these issues (or places I can go to learn more) would be very much appreciated.

Thank you!