authentication – Doubts about safety in a project on web

I aim to learn more about technology, especially about the web, and one of my biggest fears is to compromise my customers…

Suppose I am approved to work for a company, well, one of my plans would be to build a system on the web for the company, because I am a web developer, I do not build software, because my passion is the web. I’m not a professional, but I have a little knowledge, one of the things I would do is:

1.Change Windows to Linux – I would change the operating system of computers to Linux, because it is more agile and secure, because most of the time malicious people create software to compromise Windows operating systems, using .exe files, which cannot be run on Linux. I recognize that all systems are vulnerable, there are viruses for all types of systems, but I really think that many people plan to create malicious software that runs on Windows, for me running Linux on all computers would be better, we would avoid certain attacks and also computers would be more fast, you know, Linux has more advantages, I can’t say much here.

2.Educate machine users – Something interesting that I think about doing is educating users, I believe that it is extremely important to make everyone aware of the risks of doing certain tasks. It would be great to create an instruction manual, warning about several attacks, such as Phishing, DNS cache poisoning, Spoofing Attacks, Eavesdropping, and Downloading files from the internet, I just said some possible means of attacks because I don’t know much about them, but surely there is much more. Educating users would be excellent, because most of the time some attacks are made due to the user’s action.

3.Create a system on the web – Well, I’m a web developer, I don’t consider myself a professional, but I have knowledge and I’m always looking to improve my skills, something I think about a lot before developing is about the safety of the users who will use the system. I plan to create a website in the cloud, we will not use a desktop program, because I have no knowledge of software languages. As you know, if it is a company, then it has money involved, so it is effective to work hard on security, what I intend to do is create an EC2 instance(AWS) and in the firewall rules allow only the IPs of the company’s computers to access the website, it may be possible to do such a thing using PHP or Nginx, in PHP I could simply create a matrix and assign the IPs of the machines in that matrix, and then create a control structure to check if the agent’s IP(user) exists in the created matrix, if so, then the user can access the website, otherwise the user simply will not have access to the page.

Example script:

<?php

class RemoteAddress
{
    /**
     * List of trusted IP addresses
     * 
     * @var array
     */ 
    protected $trustedIPs = array('127.0.0.1', '192.168.0.101', '192.168.0.102', '192.168.0.103');

    /**
     * Returns client IP address
     */
    public function isDefinedIpAddress()
    {
        $ip = $_SERVER('REMOTE_ADDR');
        if(in_array($ip, $this->trustedIPs)){
            $this->returnPage();
        } else {
            $this->returnErrorPage();
        }
    }

    /**
     * Redirects the user to the success page
     * The user will be able to access the website
     */
    private function returnPage() 
    {
        header('Location: index.php');
        exit();
    }

    /**
     * Redirects the user to the error page
     * The user will not be able to access the website
     */
    private function returnErrorPage() 
    {
        header('Location: 403.html'); //We can display an forbidden message maybe...
        exit();
    }
}

$object = new RemoteAddress();
$object->isDefinedIpAddress();

I don’t know if this method with PHP is efficient, but maybe it is useful? I believe it is better to do this for the EC2 instance, in the firewall rules of the virtual machine. As a professional, what do you think of this idea? In my opinion this could be an extra layer of security in the application.
Of course, if this idea is effective, something interesting would be to show the user a login panel so that he can access the entire system, and enable two-factor authentication when the user tries to log in, send an SMS to his phone or else use Google Authenticator. In my point of view it’s a good idea, but I’m not really that experienced so I don’t know if I’m thinking the right way, because I don’t want to compromise the company.

I am aware that there are many things to do to acquire security on the web, security headers are also required, HTTPS, HSTS, Data Sanitization, and more. My biggest fear is creating something that can compromise, for me it would be an honor to receive responses from people experienced in the area of ​​information security, I recognize the potential of everyone who is dedicated to helping people in this community, they are excellent people, I really wanted to know if I’m thinking right, if there is any chance of this being possible, because i only know how to program on the web, and my dream is to work in x company, but for that i need to have projects to present to the manager, and i cannot present a project that can compromise the whole company, I recognize that alone I cannot create something totally safe, but at least I want to be able to understand if there are chances, I want to transmit my knowledge and make people see that I will dedicate myself to make the company better .

I’ve never studied at a real university, so I don’t have so much knowledge about technology, but I’m looking to evolve day by day, so for you maybe my idea is futile, I just need you to tell me if I’m on the right track, if possible educate me about certain I really need to learn more and more.

Thanks for listening!

Note: I am currently looking for a job, these are my ideas for working in the IT area, I need to know if I’m on the right path so that I can try to join, because I do not want to compromise the company. Your answer will help me a lot, I don’t know if I’m asking this question on the right site, but my doubts are about security, so I think this is the right place? Thanks again for your attention