In this chapter, we considered the principles of web application security; not just the issues that are specific to Ajax or Rails, but to all web applications. In fact, there are very few new security concerns that Ajax brings to the tableit's just another medium for client-server communication, so all of the non-Ajax security principles apply equally to Ajax development. The golden rule of web security, don't trust user input, forms the umbrella over most of this chapter: SQL injection, XSS, session fixation, scoped queries, how to avoid record IDs in URLs, the perils of mass assignment, and the insufficiency of client-side form validation.
In the next chapter, the topic turns to performance and offers advice to help you make your Rails applications hum. As with security, most web application performance issues aren't specific to Ajax, but Ajax provides a new context in which to approach old problems.