My tested web proxy had features to support hardening of all three of these web components, Forms, URLs, and Cookies.   I thought this would be the easiest and most important protection provided by a web proxy, but I was wrong.

To explain:  Assume that a web form asks for a 5-digit field, but a malicious actor creates a response with 5000 Unicode characters into that field.  Is your application able to cope with that surprise?   Even if your application is safe, can you be sure that your web server is not vulnerable to a surprise along these lines?    Form hardening is intended to track what data is expected when a blank form is transmitted, so that a response can be evaluated for consistency with that form layout.   The web proxy did this by storing an encrypted cookie containing the forms metadata.

Forms can be submitted with either GET or POST, so form hardening also required URL hardening.   Cookie hardening used encrypted cookies created by the web proxy to detect and block malicious cookie manipulation.

In practice, none of this worked.   On my tested applications, hardening any of these objects, or all three of them, produced application incompatibilities which were impossible to explain or resolve.  SmarterMail provides a complex layout with multiple panels, so I have even less hope for a hardening strategy to work seamlessly.  But maybe there is a product out there waiting for me to discover it.