It depends entirely on what technologies you are specifically exposing. If you are serving a page with a web server application like Nginx or Apache, you should read about securing those applications. If you are writing a NodeJS application, you should read something specific to that.
Please don't do that. It's a terrible idea because CloudFlare will then get to decide who gets to see your website or not (and CloudFlare hates privacy tech like Tor), and also because then CloudFlare will terminate the HTTPS (TLS) connection on their side so they essentially get to know all your passwords.
I've selfhosted on 64Kbit/s modem then xDSL for years without a problem (apart from bots trying default passwords). If you are really afraid you'll run into DDOS attacks and whatnot, consider using a small 2-5$/mo VPS as reverse-proxy instead of CloudFlare to retain control of your infrastructure.
If you want something very general and comprehensive, you can read this, although it is probably too involved for a basic "website": https://owasp.org/www-project-web-security-testing-guide/sta...