Michael Howard (one of the Author's of Writing Secure Code) says that there are 2 types of security problems: those involving untrusted input and everything else.  It's true.  Most of the security issues that we face and have to deal with in our code can be dealt with by validation checks.  One of the things that AJAX lets us do is blur the lines between client and server.  This is really cool, but don't forget to validate your data on the server. 

Now some of you may be saying, but are you saying that I should never do validation on the client?  The answer is no; client validation is a usability feature; it makes your app friendlier to the user.  But, don't trust data coming from the client that is only validated by client side scripts.

I know this can be a pain, but remember that hackers can easily take control of your app with an attack proxy; this means that by simply examining the traffic flying back and forth a hacker could determine the right values to change to manipulate your app; a hacker could also make changes to data returning from the server to cause your app to behave in an unexpected manner (be careful).

Therefore you should avoid sending user names, passwords and other security related data over the wire between the browser app and the server (I know you knew that).  You should also make sure that the client is not making security decisions.  I have seen where people have sometimes filtered data on the client app based on credentials passed to the browser from the server; all of which was done with Javascript... be very careful!  Don't offload security logic to the client, ever.