It's sad to say, but a lot of web applications on the market are not as secure as they should be.
There is a tool called Observatory provided by the fine people at Mozilla that can demonstrate what I mean.
This site allows you to enter a website and it will analyze its security conditions: headers, policies, etc. It will assign a rating according to a number of tests and determine just how secure the website or app is. If you enter a site that you use often, you will find it is very rare to encounter a site with an A rating. Good ones come up with a B rating (like twitter), others a C rating (like instagram) and quite a few with a D or lower (which I will not name here). Just have a look at this grade distribution.
The specifics of why sites get high or low grades is complex, and has a lot to do with the way attackers take advantage of the powerful features web has to offer, to ultimately get at not just your site, but your users as well.
Whatever I build, I guarantee a B grade or higher so you can have peace of mind for yourself, and for your users.