Thanks to Hacker News for bringing this common problem with Rails apps to my attention. Nobody seems to have taken advantage of it on my app, but still, it’s a drag having insecure applications, and a little disappointing that there aren’t more heads-up about this, or a more secure default as Merb apparently has.