What is the principle of defense-in-depth applied to web applications?

Defense-in-depth for web applications means layering multiple security controls so no single control failure leads to a breach. Layers: (1) Network perimeter: CDN + DDoS protection (Cloudflare), WAF filtering. (2) Transport: HTTPS with HSTS, TLS 1.2+, strong cipher suites. (3) Application authentication: MFA, secure session management, account lockout. (4) Application authorization: RBAC, object-level auth, principle of least privilege. (5) Input handling: validation + parameterized queries + output encoding. (6) Security headers: CSP, X-Frame-Options, HSTS, Referrer-Policy. (7) Dependencies: SCA scanning, automated dependency updates. (8) Database: encrypted at rest, least privilege DB user, no public access. (9) Secrets management: vault (HashiCorp Vault, AWS Secrets Manager), no secrets in code. (10) Monitoring: SIEM, anomaly detection, alerting on auth failures. (11) Incident response: documented playbooks, backups, disaster recovery. Each layer independently reduces risk.