Came across the Ruby on Rails Security Guide. Good read for all web application developers, not just for RoR aficionados. Some tips I noted:

• Don’t use session objects as a data store.
• Issue a new session id for each login to prevent session fixation.
• Expire sessions on the server, as users can edit cookies.
• Limit the number of IP addresses from which the admin interface can

be accessed or put the admin pages under a special sub-domain. The article also has a detailed description on CSRF, XSS and various forms of ‘injections’ and how to counter these.