I think common sense security is your best bet. I am doubtful anyone is going to be doing anything too sophisticated to my site, and honestly if they do, good job. All about understand the threats relative to your current state.

HTTPS, can't inject script or SQL, can't use endpoints w/o authentication, hashing passwords.

use a secure developer tools like frameworks: django and laravel had a lot of secure!