• data transfer via https

The only really necessary condition

• creation uses 1 uppercase character 1 special character

What kind of creation? Wallet password? These requirements are infuriating on absolutely left-wing sites, give the user the freedom to choose their security, do not think of yourself as Google or the navel of the world, you can simply warn that "the password is weak and you use it at your own peril and risk."

• locked for password reuse

Oh classic, "you can't use password 123 because it's already used by user Admin"...

• password hashing ( backend hashing in a separate server )

For storing passwords, there are special functions with a given selection complexity, in PHP - password_hash and password_verify, use them, a bare hash is easily selected by brute force. You don't need a separate server for this.

• what else can be done ?

For example, take some standard library and see how this functionality is implemented in it ...

• creation uses 1 uppercase character 1 special character

Popular nonsense, invariably wandering through manuals and textbooks.
While not simple passwords are dangerous, but dictionary ones.
For example, the dictionary "Password1", which many users will score instead of a normal password when faced with these stupid requirements. And without them, users calmly use some kind of "letmypiplgo", which is easy for them to remember, and not a single bot will pick it up.
* intentional typo

All these requirements for complexity and uniqueness of the password are bad. You are only forcing users to use weak, easy-to-remember passwords. Because normal with all special characters - users will not remember. Yes, counting the password complexity and warning the user is good. But it doesn't have to be hard limits.

I found a good lecture on the topic "OAuth / OpenID Connect Authentication in Enterprise and the Open API Environment"
https://www.youtube.com/watch?v=i7vuFHH0nxY&ab_cha ...
Ps thanks youtube