Suggestion: Hardened mode for web services

[triska]

Especially for web services, it would be great if there were a mode that works as securely as sensible by default, and can be easily enabled, for example via an option such as --hardened in the HTTP Unix daemon. At the cost of making development somewhat harder (if enabled), such a mode would reveal less information to attackers.

Configuration options that could be affected by such a mode come to mind immediately, especially after the discussion in https://github.com/SWI-Prolog/plweb/issues/23:

• obsolete protocols should be reliably disabled in this mode, without weakening security if users themselves have already chosen more secure settings.
• backtraces that may expose sensitive data (such as login names, paths etc.) must be disabled.
• anything else?