Rails security, how to lock down rails

I'm curious on any rails specific tips or tricks to lock down
security. Say you have a rails application already done, now you want
to go back and disable everything in rails that you can that is not
needed by your application. For instance not loading certain modules,
or how to configure your routes so that it only allows what is
specifically stated and returns a 404 on everything else, etc.. I'm
assuming that the application itself has already been coded security
to avoid cross site scripting, sql injection, etc..