Python/Django, PostgreSQL, React, EC2.

Django actually has pretty good out of the box security settings and support for XSS, CSRF and SQL injection protection, support for bcrypt and argon2, setting password rules/validation through settings, etc:

https://docs.djangoproject.com/en/1.11/topics/security/