In this chapter, I have tried to demonstrate that the only way to create reliable protection for a Web application against external attacks is to write appropriate code.
Other methods for filtration of unwanted information based on external filters, HTTP server settings, and other techniques can complicate the attacker's task, but they cannot stop him or her. At the same time, they complicate the development and maintenance of the system and the addition of new modules to it.
In essence, when you enable additional security modules and enforce restrictions in configuration files, you have to find a compromise between the questionable protection and the convenience for the programmer who uses the system's features. You should enable such security modules only when it is impossible to check an existing system for security or to abandon it. In this case, be aware that you don't obtain a guarantee for the system's security, and it is likely that overly strict server settings can prevent the system from working.