Explain defense in depth with a concrete web-application example.

Layer independent controls so no single failure is catastrophic. For a web app: CDN/WAF at the edge → TLS + HSTS → strong authn (SSO + MFA) → per-request authorization checks → input validation + parameterized queries → least-privilege DB credentials + row-level security → secrets in a vault → egress filtering (anti-SSRF) → centralized logging/alerting. If one layer is bypassed (say an authz bug), the others — RLS, monitoring, least privilege — contain the blast radius.