I will be using API of coinbase.. Is there anything to prevent someone hacking my web app
If your web app gets hacked, you are fucked. To access the Coinbase API you will have to store something on your webserver so that the web app can proof that it has access to your account and is allowed to do transactions/buy bitcoins/etc. As soon as someone gains access to your web app, they can steal that information and use it to do API calls themselves. You could obfuscate the code, but that doesn't make it harder, just more time consuming.
I would highly recommend you to not create an exchange website if you have no idea how to keep it secure. Letting someone else program it is also quite a gamble if you don't have programming experience. Who's to say that they don't include a little loophole so they can rob you later on.
EDIT: Yes, I know this is a pretty negative reaction, but I'm trying to get you to understand the risks of using an API for money related services. For faucets it's usually okay as they don't hold a lot of money, but an exchange service is a different story. I would probably setup a Bitcoin full node and use that to do Bitcoin transactions (either using customers Bitcoins or my own).
Anyway, I don't know enough about this subject to give a good opinion, so I'll shut up now.