The internet is not a safe place. It is extremely dangerous to assume that no one will attack your application, or that putting a firewall in front of the server is enough to stop attackers. According to the Open Web Application Security Project (OWASP), the following are the top 10 security of web applications:
- Injection
- Broken authentication
- Sensitive data exposure
- XML External Entities (XXE)
- Broken access control
- Security misconfiguration
- Cross-Site Scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
Clearly, firewalls cannot help with these vulnerabilities. The application itself needs to address these security risks. Due to the scope of this book, we won't go into the details of each item in the list. You can find details about these security issues here: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf.