You can use this service ssllabs.com/ssltest to search and look for security details about public websites like google.com. If you click on a search result, then you are getting a huge list of items that are relevant to security. It's crazy to implement each item, but it's worth it when apps and sites are growing.
In case of doing something with Node.js, then I think this checklist blog.risingstack.com/node-js-security-checklist is easier to follow and understand.