Security best practises for my first ever Node, Mongodb, Nginx production app on a Ubuntu VPS

So as the title says I’m just deploying my first ever app in production.

Because I don’t have experience, I was told to ask someone who knows this stuff.

So how should I ensure the best security for my VPS and for my app?

For now I did everything from this link (about node.js)

https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely

and from here about mongodb: https://docs.mongodb.com/manual/security/

For the VPS all I did was disable password auth, root auth and use RSA authentication.

I am also thinking about a firewall, but I don’t really know what to use. Is ‘ufw’ sufficient?

Also, what ports should I block? I’m thinking about blocking everything instead of the one I’m running SSH and the one for hosting my Nodejs apps. Would that be okay?

Also, if I run my nodejs app on port 8080, can I also run MongoDB on that port too? Why would I want to run it on a different port and leave it open, when I can run it on 8080 too?

Sorry for the big list of questions but I have no one to ask about this stuff. I feel like this would be a good place to ask all of these things.