- Never allow anyone to alter a user account when not logged in, without an email confirmation step. This includes creating an account, resetting or changing a password, subscribing to or unsubscribing from a mailing list. Creating an account can actually be ok, as long as they're not allowed to log in without confirmation. Unsubscribing from a mailing list without an explicit confirmation step is also ok, as long as it uses an unguessable URL (ie the confirmation step was part of the original email).
- XSS: Never print user input to the screen without sanitising it.
- CSRF: Always use form tokens to confirm the authenticity of a form. An alternative, for AJAX-based events, is to check the referer, but this will prevent anyone who has referer headers disabled in their browser from using the site.
- Never put private data in JSON at either a guessable URL or without checking the referer, as it can be fetched from third-party domains.
Note: if you're relying on referers for AJAX calls, make sure you haven't got a crossdomain.xml policy file that would allow Flash to make cross-domain requests (and that no-one can upload a file that could pretend to be a policy file), as then the referer header could be spoofed.