Lock Down ColdFusion

Example applications and documentation do not belong on production sites (which is why they are an install option). As a rule, the less you have running on a server the less vulnerable it is. If you do need the CFDOCS directory installed for some reason, secure it (at the OS or Web server). The same is true for the ColdFusion Administrator – while you cannot really not install this you definitely should secure the CFIDE directory, and possibly change the directory name to make it harder to find. Remember, the fact that you are running ColdFusion is usually quite obvious – don’t encourage hackers by leaving your keys in the door. (Applies to: ColdFusion All)

Leave a Reply