I am developing a web site and a web service for a small on-line game. Technically, I'll be using Express (node.js) and MongoDB+Redis for the databases. This the structure I came up with:

• One Express server that will server as the Web Service. This will connect to the databases.
• One Express server that will provide the web site. It will connect to the Web Service to retrieve and push the information.
• iOS and Android application will be able to interact with the WebService.

Taking into account:

• It is a small game. The information transferred is not critical.
• There will NOT be third party applications. At least for the moment.

My concern is about which level of security I should use in each of the scenarios:

• Security of the user playing through web browser
• Security of the applications and the Web Server connecting to the WS.

I have take a look at the different options and:

• OAuth and/or Https is too much for this scenario, isn't it?
• Will be a good option to hash the user and password with MD5(or similar) and some salt?

I would like to get some directions and investigate by my own rather than getting a response like "you should you use this node.js module..."

Thanks in advance,