OWASP's Top 10 Application Security Risks would be a starting point in addressing web security vulnerabilities: https://www.owasp.org/index.php/Top_10_2017-Top_10. In particular, due to the app using MongoDB (NoSQL) for the backend database, all incoming data sent to the server should be properly vetted and filtered for malicious to prevent SQL injections.
In addition, account passwords need to be vetted to avoid weak passwords.
Some relevant links:
https://zanon.io/posts/nosql-injection-in-mongodb
https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
http://project-rainbowcrack.com/table.htm
https://wiki.skullsecurity.org/Passwords
OWASP's Top 10 Application Security Risks would be a starting point in addressing web security vulnerabilities: https://www.owasp.org/index.php/Top_10_2017-Top_10. In particular, due to the app using MongoDB (NoSQL) for the backend database, all incoming data sent to the server should be properly vetted and filtered for malicious to prevent SQL injections.
In addition, account passwords need to be vetted to avoid weak passwords.
Some relevant links:
https://zanon.io/posts/nosql-injection-in-mongodb
https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
http://project-rainbowcrack.com/table.htm
https://wiki.skullsecurity.org/Passwords