The main security problem with all websites is how strings of characters are handled.
Once you have a good understanding of strings, then you can cover some of the finer points of web security:
- Strings - yes, it is really important.
- Cross site request forgery - aka CSRF.
- Cross site scripting - aka XSS.
- Site framing - used in click jacking.
- Strict transport security - to avoid "man in the middle" attacks.
- Content security policy - for added protection against XSS.
- Login and passwords - when authenticating users.
- File uploads - and what happens to those files.