For a startup, I'd suggest at a minimum you use a CDN like Fastly or Cloudflare in front of your application to prevent basic DDoS attacks. In addition, you'll need to pay particular attention to rate-limiting your login and registration APIs/forms so that you won't have bot attacks and brute-force attacks against your site. The CDN's usually don't provide rate-limiting so you may want to use something like Amazon AWS's functionality for this.