Different solutions have been implemented for different security aspects (access control, application security) of enterprise web applications. However combining "enterprise-level" and "application-level" security aspects in one layer could give great benefits such as reusability, manageability, and scalability. In this paper, we propose adding a new layer to n-tier web application architectures, which use RAD service implementations to execute enterprise and application security policies. Proposed architecture enables applications not only benefit from enterprise-level security policies provided by RAD, but also implements "application-level" security based on RAD services to eliminate web application attacks including but not limited to those based on cross-site scripting, SQL injection, forceful browsing, cookie poisoning, invalid input and most importantly session stealing. © 2008 Atilla Elçi.