Nice.

Security is hard. And requires keeping up with the literature, as they say. I’m somewhat out of the loop at this point and there are many concerns; easy-ish first ones include–

• Only HTTPS with modern ciphers.
• Never put meaningful or replayable info in cookies.
• Never echo untrusted content to the browser.
• Never store plaintext passwords.
• Always serve all content locally or with checksums if remote.
• Only give lowest permission absolutely necessary to do anything.
• Log everything to find attacks you forgot to cover.

The gold standard for guidelines is OWASP (Open Web Application Security Project).