Four Tenets of Web Security

  1. Never allow anyone to alter a user account when not logged in, without an email confirmation step. This includes creating an account, resetting or changing a password, subscribing to or unsubscribing from a mailing list. Creating an account can actually be ok, as long as they're not allowed to log in without confirmation. Unsubscribing from a mailing list without an explicit confirmation step is also ok, as long as it uses an unguessable URL (ie the confirmation step was part of the original email).
  2. XSS: Never print user input to the screen without sanitising it.
  3. CSRF: Always use form tokens to confirm the authenticity of a form. An alternative, for AJAX-based events, is to check the referer, but this will prevent anyone who has referer headers disabled in their browser from using the site.
  4. Never put private data in JSON at either a guessable URL or without checking the referer, as it can be fetched from third-party domains[1][2][3].

Note: if you're relying on referers for AJAX calls, make sure you haven't got a crossdomain.xml policy file that would allow Flash to make cross-domain requests (and that no-one can upload a file that could pretend to be a policy file), as then the referer header could be spoofed.