Below are some security checklist for a web application.
- Login screen
- to avoid brute force attack, display captcha after 3-5 attempts from same IP
- enforce longer password more than 8
- Registration (or open form)
- display captcha for all form to submit
- SSL is a must. free or paid
- displaying primary id for table in URL must be avoided, use other ID instead. E.g. a secure id consisting of unique 10 randomized alphanumeric