ColdFusion Configuration

Content Author

David Epler


Reviewed/Revised By

Pete Freitag


The previous sections focused on secure ColdFusion coding practices, but if the installation of ColdFusion is configured insecurely, all of that work is for nothing. Securing the ColdFusion Application Server requires making the OS, web server, and the ColdFusion configuration secure. Adobe has published Lockdown Guides for each version of ColdFusion:

Commercial ColdFusion Security Tools


ColdFusion has had security sandboxing for quite a long time, but is probably an under utilized option that can help secure ColdFusion because it is only really useful in Enterprise. Sandboxing allows you to restrict access to data sources, ColdFusion tags/functions, directories, and servers/ports on a subdirectory. If a piece of ColdFusion code tries to access a restricted resource in the sandbox, ColdFusion will throw an error. The best use of sandboxing is to restrict everything on the webroot of a server and then only allow what is needed per the subdirectory (web application).

Additional Resources:

More Resources