It depends on your application and its size. Generally speaking you want a tight policy which will ensure maximum protection against attacks. If staging is enabled many attacks will not be blocked! If your application is small-medium then yes, you should whitelist all parameters an enforce everything. This is provided your application never or rarely changes (e.g. OWA, Oracle appls etc). If you are protecting an "agile" application which changes weekly and maybe even daily then hybrid approach is needed