The HTTP/1.1 specification, RFC 2616, has some guiding principles for security at the HTTP level (http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html).
Current Rails best practices for security are summarized at http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide. This guide provides "cookbook"-style solutions for many real-world problems such as authentication; mitigating SQL injection, XSS, and CSRF; handling file uploads; and preventing form spam.