Installing ColdFusion Installing the Database Installing Sample Files

What is ColdFusion? Setting Variables Datatypes Commenting Script vs Tag

Decision Making Scopes

Looping

Databases XML JSON

Functions Includes Custom Tags Components

Application cfc

OOP

Intro to ORM

Mail

cfhttp cfdocument cfpdf cfpdfform File Manipulation Image Manipulation Spreadsheets

Caching Advanced Caching

Introduction Injection Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) Session Identifier Protection File Uploads Secure Password Storage ColdFusion Configuration

Error Handling Debugging

i18n

What to do Next

Security

ColdFusion Configuration

Content Author

David Epler

dcepler

Reviewed/Revised By

Pete Freitag

pfreitag

The previous sections focused on secure ColdFusion coding practices, but if the installation of ColdFusion is configured insecurely, all of that work is for nothing. Securing the ColdFusion Application Server requires making the OS, web server, and the ColdFusion configuration secure. Adobe has published Lockdown Guides for each version of ColdFusion:

Commercial ColdFusion Security Tools

Fixinator ColdFusion Code Security Scanner - scans your source code and alerts you to vulnerabilities.
FuseGuard Web Application Firewall for CFML - runs inside your CFML application to log or block potentially malicious requests.
HackMyCF CF Server Security Scanner - Scans your CF server on an automated basis to look for missing hotfixes or security misconfigurations.

Sandboxing

ColdFusion has had security sandboxing for quite a long time, but is probably an under utilized option that can help secure ColdFusion because it is only really useful in Enterprise. Sandboxing allows you to restrict access to data sources, ColdFusion tags/functions, directories, and servers/ports on a subdirectory. If a piece of ColdFusion code tries to access a restricted resource in the sandbox, ColdFusion will throw an error. The best use of sandboxing is to restrict everything on the webroot of a server and then only allow what is needed per the subdirectory (web application).

Additional Resources:

Using sandbox security

More Resources

Websites

ColdFusion Developer Security Guide - written for CF11
Security improvements in ColdFusion 10
The Open Web Application Security Project

Books

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, Second Edition by Dafydd Stuttard and Marcus Pinto
SQL Injection Attacks and Defense, Second Edition by Justin Clarke
XSS Attacks: Cross Site Scripting Exploits and Defense by Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov and Anton Rager

Setup

Basics

Decision Making and Scopes

Looping

Data Handling

Code Reuse

Application cfc

OOP

ORM

Mail

Document Handling

Caching

Security

Error Handling and Debugging

i18n

Conclusion

Security

ColdFusion Configuration

Commercial ColdFusion Security Tools

Sandboxing

More Resources

Websites

Books