"Making it even easier to create secure applications out of the box is
always a pleasure and with Rails 2.0 we’re doing it from a number of
fronts. Most importantly, we now ship we a built-in mechanism for
dealing with CRSF attacks. By including a special token in all forms
and Ajax requests, you can guard from having requests made from outside
of your application. All this is turned on by default in new Rails 2.0
applications and you can very easily turn it on in your existing
applications using ActionController::Base.protect_from_forgery (see
ActionController::RequestForgeryProtection for more).
We’ve also made it easier to deal with XSS attacks while still
allowing users to embed HTML in your pages. The old TextHelper#sanitize
method has gone from a black list (very hard to keep secure) approach
to a white list approach. If you’re already using sanitize, you’ll
automatically be granted better protection. You can tweak the tags that
are allowed by default with sanitize as well. See TextHelper#sanitize
for details.
Finally, we’ve added support for HTTP only cookies. They are
not yet supported by all browsers, but you can use them where they
are."
Article Link: http://www.net-security.org/secworld.php?id=5495
