By default, Rails 2 employs protection against CSRF attacks. What it comes down to is sending an authenticity token (unique per session) along with all non-GET requests as well as all Ajax requests. I prefer jQuery to Prototype, the JavaScript library that ships with Rails. This is how I made jQuery automagically send the authenticity token along with all Ajax requests. In my application layout, I