> * Is this the right list (and order) of the mitigations - or should > ReWrite be first ? FWIW I don't like rewrite first because it's so unruly with being defined once per vhost + main server + RewriteEngine on.
I like RequestHeader simplicity, and could be combined with SetEnvIf to only zap long malicious looking headers.