I've had a ColdFusion Security Checklist for a while now, but there is an item I will have to add once ColdFusion 8 finally ships.
One of the cool new AJAX features is the debugger. You can turn it on by adding ?cfdebug to your request. While this is nice and cool (and very powerful), it is also something you probably don't want to allow on a public web site.
The ColdFusion 8 Administrator adds a new option in the Debug Output Settings page: Enable AJAX Debug Log Window
It is important to remember though that AJAX requests, by their very nature, are open to inspection, especially with tools like Firebug. So turning off the AJAX Debug Log Window is probably recommended, but don't have any unwarranted expectations about your AJAX code. It is as "safe" as hidden form fields or cookies. (In other words - you can't trust it.)