The incredible progress in technologies has drastically increased the usage of Web applications. Users share their credentials like userid and password or use their smart cards to get authenticated by the application servers. Smart cards are handy to use, but they are susceptible to stolen smart card attacks and few other notable security attacks. Users prefer to use Web applications that guarantee for security against several security attacks, especially insider attacks, which is crucial. Cryptanalysis of several existing schemes prove the security pitfalls of the protocols from preventing security attacks, specifically insider attacks. This paper introduces LAPUP: a novel lightweight authentication protocol using physically unclonable function (PUF) to prevent security attacks, principally insider attacks. The PUFs are used to generate the security keys, challenge-response pair (CRP) and hardware signature for designing the LAPUP. The transmitted messages are shared as hash values and encrypted by the keys generated by PUF. These messages are devoid of all possible attacks executed by any attacker, including insider attacks. LAPUP is also free from stolen verifier attacks, as the databases are secured by using the hardware signature generated by PUFs. Security analysis of the protocol exhibits the strength of LAPUP in preventing insider attacks and its resistance against several other security attacks. The evaluation results of the communication and computation costs of LAPUP clearly shows that it achieves better performance than existing protocols, despite providing enhanced security.