Pretty much in the same boat as you. The one thing I am making sure is anything that goes into the database is properly validated and sanitised as mentioned by the other user. Keeping keys as environment variables rather than in the files would be other. Write lots of tests if you are not already doing so. But at the same time also keep in mind that there should be a fine balance , in my humble opinion, in putting in time to make your system secure and moving fast and getting the product out to market. Unless of course your product sells security. Cover your basics and add in more protections once you get a product market fit.

What are the more protections you are referring to in your last sentence?

Sorry for the late reply. As I said I am in the same boat as you so just worried about how I could get prevent myself from being "hacked". Email verification for user signups is something I am doing. Apart from that just looking at every piece of code and not relying just on the client side stuff(javascript) :)

Check this link http://techcrunch.com/2015/01/22/security-for-startups-in-10... It may help to some extent.

Thanks! That was good :)

Hard to say too much not knowing what infrastructure its on, but would start with the basics of good input sanitization to avoid sql injection.

Currently my webapp is built using PHP and MySQL LAMP stack and is hosted on AWS EC2. I have taken care to avoid SQL injections.