top five security tips

I've recently deployed my first app and although I don't think I've done too much wrong I'm acutely aware of the importance of security. I'm sure people here are also.

I'd be interested in learning more and as such I thought I'd start a thread on the top five security mistakes (or gotchas I suppose) made by people, or just any pointers for things to watch out for. Either application based stuff or server configuration tips. I appreciate there are a heck of a lot more than five things, but hey, gotta start somewhere.

In my specific case, my app uses the original acts_as_authenticated plugin as well as the file_column plugin (allows people to upload images). I'm hosted on joyent shared hosting (aka textdrive).

Top 5 security mistakes when deploying a new app.

1) errr, apply special permissions to databases.yml 2) ... 3) ... 4) ... 5) ...

Appreciate any tips.

any pointers ?

any pointers ?

Well you've cast quite a wide net, and it's always hard to know at
what level your pitching. So I can say 'use h and sanitize where
appropriate', but I might be stating the bleeding obvious. has
lots of good stuff (but it's not quite up to date, eg it warns against
using sanitize, recommending white_list instead but in rails 2.0
sanitize is white_list)