ColdFusion Security

Secure Profile

Since version 10, ColdFusion has included an advanced security setting called the Secure profile. This feature is intended only for new production deployments. Be aware that servers already in production cannot easily enable this feature without potentially impacting currently running websites due to the Secure profile's security restrictions.

Lockdown Guides

Adobe publishes a PDF called a "Lockdown Guide" that provides a high-level checklist for various versions of the platform.

ColdFusion 2018 Lockdown Guide | ColdFusion 2021 Lockdown Guide

Server Auto-Lockdown (ColdFusion 2018)

ColdFusion 2018 introduced an automated lockdown tool that applies security best practices automatically.

Staying Current

Keeping your ColdFusion installation patched is crucial for maintaining a secure and supported system. You should always keep your installations updated with the latest security patches released by Adobe to protect against known vulnerabilities.

Proactive Security

Routinely scanning your server for vulnerabilities is a proactive measure you can take to identify weaknesses before they can be exploited. One of our most important security recommendations is to conduct annual penetration testing and implement regular vulnerability scanning. HackMyCF provides security scanning services specifically designed for ColdFusion applications.

Database Access

ColdFusion serves as a conduit between your application and your database, which requires you to give it appropriate database access. SQL injection attacks are especially prevalent in ColdFusion applications because of the direct pathway from the internet to SQL datasources. When using SQL Server, you should only grant the minimum necessary permissions: SELECT, INSERT, UPDATE, and DELETE. Stored procedures also need SELECT privileges. You should never grant elevated permissions like db_owner or sysadmin on production datasources from the CFML layer in any production environment.