Which statement best describes the vulnerability category most effectively mitigated by both proper security configurations and a Web Application Firewall?

Defense in depth against web vulnerabilities comes from combining secure configurations with a Web Application Firewall. A WAF filters and blocks harmful traffic before it reaches the application, making it effective against injection flaws such as SQL injection and cross-site scripting by spotting and blocking malicious payloads. At the same time, proper security configurations reduce the attack surface that results from misconfigurations—things like default credentials, exposed verbose error messages, unnecessary open services, and missing patches. When these two layers work together, you address both the injection attacks the WAF can catch and the misconfigurations that a WAF alone cannot fix, so the vulnerability category that is most effectively mitigated is the combination of injection and security misconfiguration.