Securing ColdFusion for internet facing server
- Make sure you turn off debugging for production environments
- Have a site-wide error handler to mask any unhandled errors; otherwise the ugly grey box error message from CF will display, which could contain information about your server setup
UPDATE May 30, 2010:
Adobe just released the ColdFusion 9 Lockdown Guide (PDF) which includes all sorts of information for properly locking down and securing a ColdFusion server and application.
Original Post:
If only your own applications will be running on the server, start with locking down your web server of choice. Milner's suggestions to put a site-wide error handler to catch any expections is a good one to prevent data exposure. You can run debugging in a production environment as long as the output is restricted to specific IP addresses that you specify. As for the CFIDE folder, the only part that really needs to be locked down is the "administrator" sub-folder. There are a lot of things in the CFIDE folder which your application may need if you're using any of the ColdFusion form controls.
Outside of the ColdFusion Server itself, there are a lot of things you need to consider in your code such as:
- Use CFQUERYPARAM on your queries.
- Do not trust user input from the CGI, COOKIE, URL or FORM scopes. Always sanitize the input and do not take any chances with it.
- For data that users have entered that will be displayed layer, ensure it's wrapped with the HTMLEditFormat() or JSStringFormat() functions as the case calls for to present cross-site scripting attacks.
It may be obvious, but if the server is Internet facing (directly accessible with a public IP), you definitely need some kind of firewall in place- at least a software firewall in your OS or a hardware device to protect the server.
Try out www.hackmycf.com , it's a security analysis tool made by Foundeo and works pretty good!