ColdFusion Security Assessment Tool

Are all ColdFusion updates and security patches applied?

Has the Adobe ColdFusion 2025 Lockdown Guide been executed?

Is JDK 17 updated to the latest patch release?

Have unused ColdFusion packages been removed via cfpm?

Are unnecessary services and features disabled?

Are file system permissions properly configured?

Is ColdFusion Administrator access restricted by IP address?

Has the default administrator URL path been changed?

Are strong passwords (16+ characters) used for admin accounts?

Is multi-factor authentication enabled for admin access?

Is admin session timeout set to 30 minutes or less?

Is admin access restricted to VPN or bastion host only?

Is direct access to Tomcat ports blocked from external networks?

Are web server connectors properly secured with secret keys?

Is HTTPS enforced with TLS 1.3 or 1.2?

Are firewall rules configured to allow only necessary ports?

Are session cookies configured with Secure and HttpOnly flags?

Is SameSite cookie attribute configured (Strict or Lax)?

Are security headers implemented (CSP, X-Frame-Options, etc.)?

Is comprehensive input validation implemented?

Are parameterized queries used to prevent SQL injection?

Is comprehensive security logging enabled?

Are security logs actively monitored with alerting?

Is intrusion detection/prevention (IDS/IPS) configured?

Is there a documented patch management process?

Are quarterly security audits performed?

Is annual penetration testing conducted?