A nice trick we used to do was to configure the firewall to disallow the user running the webserver (e.g., apache) from being able to send outbound traffic.

It still works fine as a webserver, as it's not initiating the connection. But if someone finds a vulnerability and hacks the server, their attack can't make any network requests outbound to establish comms with the C&C server, download payloads, etc.

You can still do that today but web stacks are getting complex and even the webserver may be making network requests to the open internet. Though if it was only to specific APIs you could allow that too...