Rails sends a couple of security HTTP headers by default, so you should probably know what they do. There are also a few additional ones that require a bit more configuration and thought. You can read the article here.