Assuming good coding practices are followed for a defence-in-depth approach, how do people protect at the request level - i.e. with a WAF? For example solutions with the commercial Nginx WAF and/or naxsi with managaged rule sets, or a CDN provider with a managed WAF rule set. What is the minimum maintenance overhead one can expect?