Secure Deployment Configuration
Web applications do not execute in isolation. They typically are deployed within an application server framework, running within an operating system on a physical host, within a network.
Secure operating system configuration (also called hardening) is not typically within the scope of code review. For more information, see the Center for Internet Security operating system benchmarks.
Networks today consist of much more than routers and switches providing transport services. Filtering switches, VLANs (virtual LANs), firewalls, WAFs (Web Application Firewall), and various middle boxes (e.g. reverse proxies, intrusion detection and prevention systems) all provide critical security services when configured to do so. This is a big topic, but outside the scope of this web application code review guide. For a good summary, see the SANS (System Administration, Networking, and Security) Institute Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches.
Application server frameworks have many security related capabilities. These capabilities may be enabled and configured programmatically or declaratively. Programmatic configuration is done within the web application, using framework specific APIs. Declarative configuration is done via static configuration files, typically in XML format.