This paper presents a new methodology using software reflection to prevent, detect, and mitigate internal attacks to a running Internet Web server. This methodology is very suitable to design such systems as secure by default, that is, when designing the software some parts are marked as secured, and any change/modification of these parts will be an unexpected behavior that needs to be analyzed. If these changes turn out to be attacks, then some remediation techniques are activated, in order to guarantee that the system will continue to work even in the presence of an attack. In addition of providing the methodology, we show how this technique has been used as the basis to develop a real information system. Our experiments are convincing and argue for a secure design to develop complex systems in order to facilitate their protection, and to help to prevent attacks and intrusions