Redirection could lead attacker to create a self-contained attack or forward the user to a trap web site by sending an unsuspicious link into an external site e.g. http://www.example.com/site/redirect?to=www.attacker.com Some simple countermeasures are

1. If you redirect to an URL, check it with a whitelist or a regular expression
2. Avoid using redirect_to(params[:some_param])
3. Do not allow the user to supply (parts of) the URL to be redirected to

Got another tips? Please add them in the comment form below.