I’ve read way too many blog posts about inheritance versus composition. All of them revolving around the is-a versus has-a relationship. If that subtlety has left you scratching your head, here’s a real life example.
Rails protects you against CSRF attacks, but it gives you a lot of customisation on how you want to react to them. It can be a great thing as you can have your own strategies, but it can also lead to security issues.