You are evaluating security requirements for a web workload that handles sensitive customer data. What are the critical security controls you would recommend to protect against common web application vulnerabilities such as SQL injection, cross-site scripting (XSS), and data breaches? Consider input validation, output encoding, and data encryption.