In specifying security requirements for a web workload, what are the critical security controls you would recommend to protect against common web application vulnerabilities such as SQL injection, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks?