Web application security boils down to a few basic principles.
- Always use a secure connection for non-public data (ssl ie: https)
- Always authorize on the server side (allow the client to claim identity after authentication, but validate and authorize on the server side)
- Always clamp down on transmitted data. (Only pass the client stuff they should be able to see. In the end, anything you send is totally visible no matter what you think you've done to hide it.)
- Zero Trust.