Web security encompasses: input validation (prevent injection), output encoding (prevent XSS), CSRF protection, authentication (strong, MFA), session management (secure cookies), TLS (transport security), security headers (CSP, HSTS).
Web apps are the most attacked application type. OWASP Top 10 is the baseline checklist. Defense in depth: secure code + WAF + DLP + monitoring. HTTPS everywhere is the minimum. Security headers are free — no excuse for not implementing them.