Ten tips for securing your ColdFusion application

Over the past year, reports of website security vulnerabilities have increased—in number and severity. Security is a top issue in application development and production. There are a variety of responses to hackers.

ColdFusion application developers—like all applications developers—can take steps to prevent security violations. When you install the Macromedia ColdFusion  server on your local machine, it’s easy to start developing applications right out-of-the-box. Your focus during development is on the inner workings of the application and not on setting up and configuring the ColdFusion administrator. When you deploy your ColdFusion application to production, however, you expose your application to the whole world. In this environment, things are different.

Below you’ll find ten tips for setting up your ColdFusion  application server with security in mind. This list is divided into these general sections:

  1  Features and setting to turn off

  2   Features and settings to turn on

  3  On-going chores

  4  Testing techniques: A hidden JavaScript example

1 Features and settings to turn off :

    1.1 ColdFusion  installation :

Install ColdFusion on the production server without the documentation and example applications. You can uncheck the Example Applications option during your ColdFusion server installation. While the example applications are helpful to new ColdFusion developers, the CFML source code for these examples is freely available, so they present a tempting target for hackers in a production environment. The example applications were revised in ColdFusion 5 to make them more secure, but still there is rarely a good reason to have them on a production server. (continue reading…)