Not essential to 'full stack', but could be considered a 'full stack' skill too, really it fits under the ubrella of testing so it depends on where you work if testing is part of the devloper flow, or left to testers.

Well you should know at least some of the basic web attacks and how they work and how to prevent, like SQL injections, Cross-Site-Scripting and Cross Site Request Forgery, aso.

It's never bad, however it would be too much work to dive deep into this topic. If you work on a daily basis as a Pen-Tester your quality of work will always be better then someone that is just trying out things from time to time. And I don't think that pen-testing will be a essential part of "full-stack".