Looking for Feedback on My Web Form Security Features

Hey everyone! I'm working on my first serious web project—a salary-comparison site that features a user-submitted form. I've got the frontend and backend set up, but I've realized that I need to pay serious attention to security. I've been doing my homework through articles and YouTube videos, but as a newbie, I would appreciate feedback on my current security measures and if there's anything I might be missing or overdoing. Here's what I've implemented so far:

* HTTPS enforcement
* Secure session cookies
* Session fixation protection
* Proper session destruction on logout
* CSRF token generation and validation
* Password hashing
* Login rate limiting
* Admin access control (currently just one admin)
* Admin session and CSRF validation
* Session username tracking
* IP hashing
* Prepared statements for DB queries
* Input trimming and length limits
* Text normalization
* Field validation (on client and server side)
* IP-based rate limiting (specific to actions)
* Honeypot field to catch bots
* Submission cooldown timer
* Search throttling
* CORS restrictions with allowed origins
* Restricting HTTP methods
* Form action restrictions
* XSS sanitization
* Strict CSP header
* No inline scripts
* Form validation
* Action logging
* Error logging

I'm also considering adding a CAPTCHA to help prevent spam and accidental submissions. Does that sound like a sensible addition, or is it overkill given what I've already implemented? Any suggestions would mean a lot as I'm still learning. Thanks!