Register as an OWASP member at
https://owasp.org/membership/
it costs 50 bucks a year
and get access to the SecureFlag Platform
a good option, the
rest are only corporate or very expensive!

Secure web development is, in essence CORS, CSPprotection from XSS, protection from, CSRFand password hashing
UPD:
Vadim , If you do not want data that you do not expect to come to you on the API, use validation with whitelisting. If you need to limit the places where a request can come from, configure CORS.
If you want to limit the number of requests per endpoint within a certain amount of time from one IP - Use RateLimit. About the correct construction of authorization is also not entirely clear. Which is better for you: JWT or OAuth2? All strategies have long been invented and doing something wrong will also be difficult.
It is necessary to securely transmit data on the network - HTTPS and SSL.
Want to close all ports except 443? - use firewall.
There is no need to study the “principles of secure web development”, when you start writing something, you will immediately see all the weaknesses and start looking for solutions specifically for your situation. And so, you will not make yours safer.
fetch('https://api.com')

I disagree with my colleagues that "there is nothing to study there, and everything is clear" :) The topic is large and interesting, there is no digging to dig.
I'm not an expert, but the picture seems like this:
- according to the information - smoking owasp, at least. There were sites with translations of articles from ovaspa, and their own materials on web security;
- for development - you are equipped with static analyzers (SonarQube, Bandit for python, etc.). The analyzer will indicate suspicious places, and you will improve your understanding of possible attack vectors;
- for testing - check with scanners like OWASP Zap, https://www.ssllabs.com/ssltest/analyze.html . Again, analysis of the positives will give an understanding of how you can be attacked, how you can do it, and how you can’t;