1) Add CSRF token with every POST form submission.
2) Make sure passwords, API tokens, session identifiers all are hashed.
3) Use X-Frame-Option, X-XSS-Protection headers in client responses.
4) Verify GET requests are only used to actually get data from the server, but never make any significant changes to the state of your web application. For example, don’t use a GET request to let the user change their profile details.
5) If there are APIs, whitelist allowable methods. For example, a GET request might read the resources, POST would create a new resource, and DELETE would delete an existing resource.
6) Add backend form validations for all the forms requests even if there is a front-end validation.
7) Make sure file uploads are allowing only the right file types.
8) Prevent accessing .env via public URL. Eg: http://domain.com/.env
9) Add request throttling to prevent brute force attacks or denial of service attacks.
10) Make sure all SQL queries are safe from SQL injections.
11) Don't output error message or stack trace in a production environment.
12) Don't use a weak password for the administrator panel.
13) Cookies must be httpOnly and secure and be scoped by path and domain.
14) Prevent reflected Cross-site scripting by validating the inputs.
15) Verify only users with appropriate permissions can access the privileged pages.
16) Restrict the direct file access.
17) Don't use old versions of frameworks. Frameworks always release the newest patches by fixing any securities holes.
18) Don't keep database backup or source code backup on the public root.
19) If there are APIs, secure it with right Authentication methods.
20) Avoid accidentally committing the private keys, passwords or other sensitive details to GitHub or Bitbucket.