How secure a web application should be? Well, for many of us, web-developers, the question doesn't make much sense. "An application must be as secure, as it is possible. The more secure it is, the better". But it is not a definite answer. It doesn't help to form a security policy of a project. Moreover, sticking to just this single directive ("The more secure it is, the better") may prove to be an ill service. Why? That's what I'm going to discuss in this article.