My plan for securing web app: are there holes?

I've developed a CodeIgniter project tracking app for a client which lives at a public URL but is used privately. It includes a simple REST API, used exclusively for a Dashboard widget and Cocoa menu bar app though it will grow later.

Originally designed for a small team, the app is going to be used more broadly within the (large) company. My plan to grow and secure it...

1. Evaluate traffic needs, project resource usage, and scale hostin开发者_开发技巧g accordingly.
2. Rely exclusively on HTTPS and purchase a decent SSL certificate.
3. Require authentication for the REST API.
4. Actively monitor for abuse and have a blacklist (or several) in place.

Are there any obvious issues that need to be addressed or best practices to follow for a private/public app such as this?

It's a rather broad question. There are several complicated facets.

SSL is good; think about enabling CI's CSFR protection

Lock down your server. Close ports like email and ftp if you don't need them. Google for tutorials or ask specific questions based on your OS.

A great guide of form-based auth stuff: The definitive guide to form-based website authentication

Make sure your permissions are how you want them. e.g. keep private things private. Design a policy for granting and revoking access.