See https://incompleteness.me/blog/2007/10/29/web-application-security/