If you want to secure a web application, you are correct that three key components to consider are these:
To this, I would add (at least):
In particular, a good information security plan should include these elements at a minimum:
1. Distributed/redundant server hosting in the event of datacenter outages (e.g., power failures due to storms, wildfires, or electrical outages).
2. Strong firewall rules on hosting servers. Only those ports and transport protocols (TCP vs UDP) that are needed for operation should be kept open.
3. All ports used for external network traffic should use modern TLS-encrypted protocols (e.g., HTTPS, SSH, FTPS|SFTP), ideally using at least TLSv1.3 for perfect forward security.
4. Any non-encrypted ports should be automatically forwarded to their encrypted equivalents (e.g., HTTP -> HTTPS).
5. All access to restricted content on web/database servers should go through an authentication step (e.g., username/password logins, public/private keypair exchanges, certificate validation, OAuth tokens).
6. If client privacy is required/desired, then data uploaded to the provider's servers should be encrypted before upload using GPG on the client's computer.
7. If the server provider wishes to secure their stored data against hacking attempts, then all data should be encrypted before storage using GPG on the server.
8. No sensitive information should be transmitted from the server to the client's browser (e.g., passwords, private keys, access tokens) unless that information is already guaranteed to be known by the client.
9. Access to third party servers from the user's browser should be controlled with specific CORS settings on these servers rather than providing completely open access to anyone. A common use case for this is using a GeoServer to provide map imagery to a web mapping application.
10. When storing persistent data on the user's machine (e.g., browser cookies), the user should be clearly notified that this is being done and allowed to either opt-in or experience reduced (or no) functionality.
11. All persistent data on the provider's servers should be automatically backed up on a regular basis, the cadence of which should be dictated by the needs of the application.
12. Backups should be stored both on the same machine as the web and database servers for ease of data restoration after a failure, but it should also be backed up onto a remote machine, ideally in a separate datacenter to protect against hardware failure or other compromises to the initial datacenter.