web application – How do I decide what security measures are appropriate?

This thought came to me when one of my colleagues said that we’re protecting mailhog (restricting access by ip) on a staging server for passers-by to not being able to read mail, but leaving the site open because some external services might need to make HTTP requests to it. I think it shouldn’t be difficult to specialcase some specific endpoints for the services. But I don’t particularly trust search engines to respect robots.txt. So I wouldn’t be surprised to find the staging site in the SERP, which might affect the production site’s ratings. Well, I might be wrong about both.

Or the fact that passport/express-session are vulnerable to session fixation attacks. Okay, one can probably say that avoiding this attack is left as an exercise for the users. But the solutions are fragile.

Another case is web authentication. Where they store sessions on the client (JWT). I’m planning to build a prototype in the future, but my impression is that there are different options, none of them are perfect, and some of them differ in “paranoidness.”

Can you explain how do I decide what is overkill, and what is not? On this examples, or others? Ideally in the area of web development.