As Martin_fr already said, the most important one is the -Xs (strip symbols). The others - not very sure - but I think are not very important.
Simply configuring the settings 'properly' including striping the symbols are not very useful. Hackers can easily peek into your exe file to find important texts using hex tools, for example you save your password using const:
const
MyPassword = 'rainbow';
You should save only encrypted version of the text and decrypt it runtime. For example, you can write a simple function to get the decrypted text by combining 2 strings:
const
MyPassword1 = 'ribw';
MyPassword2 = 'ano';
function CombinePass(Input1, Input2: string): string;
I tell you a story. When I was around 16, I got a pirated copy of Lotus 123. Starting the program, I saw the splash screen said "Lotus 123, licensed to
[xxxxx]". So I was thinking could I change the name? Using a hex tool, I changed the
[xxxxx] to my name, but the program won't start after being modified. Using debug.com (or maybe debug.exe), I managed to trace the program. I found that it used a simple checksum to make sure the licensed info hasn't changed. Yep, as you guess, I managed to make it to show my name on the splash screen.
FYI, Lotus 123 is one of the world class applications in that old era. With some tools and knowledge it was easy to hack. Ssst, don't tell the Lotus company I hacked their software, or I will be trouble.
Even you have encrypted the password string, hackers still can hack it. They don't have to know how to decrypt your password, they just need find the code that handling the login process, and use a jmp command to skip it.
If you want to understand how to 'better' protect your program, I suggest you should learn some assembly language and try to hack some programs. I felt shameful to hack someone's program, so I don't pursue my career as a hacker.