Enable CSRF, escape output with esc(), use the honeypot filter, and force HTTPS in CI4.
Security in CI4
// CSRF enabled by default
// app/Config/Filters.php
public array $globals = ["before" => ["honeypot", "csrf"]];
// Add CSRF field to any form
echo csrf_field();
// Escape ALL user output with esc()
echo esc($userInput); // HTML context
echo esc($url, "url"); // URL context
// Force HTTPS - app/Config/App.php
public bool $forceGlobalSecureRequests = true;
// Content Security Policy headers
$csp->defaultSrc = ["self"];
$csp->scriptSrc = ["self", "nonce"];