Securing Applications - Adobe 38043740 - ColdFusion Standard - Mac Development Manual

DEVELOPING COLDFUSION 9 APPLICATIONS
Developing CFML Applications

Securing Applications

Resource security (Adobe ColdFusion Standard) or sandbox security (Adobe ColdFusion Enterprise) restricts access to
specific resources, such as tags and files. You use the ColdFusion Administrator to configure sandbox or resource
security, and structure an application to take advantage of this security.
User security depends on a user identity. You can implement user security in Adobe ColdFusion applications.
For detailed information on using Administrator-controlled security features, see Configuring and Administering
ColdFusion.
ColdFusion security features
ColdFusion provides scalable, granular security for building and deploying your ColdFusion applications.
ColdFusion provides the following types of security resources:
ColdFusion Administrator is password-protected. Additionally, you can specify a password for access
Development
to data sources from Dreamweaver. For more information on configuring Administrator security passwords, see the
ColdFusion Administrator online Help.
The CFML language includes the following features that you can use to enhance application security.
CFML features
•
tag: This tag helps prevent users from injecting malicious SQL expressions. For more
The cfqueryparam
information on using this tag for database security, see
• Scriptprotect setting: This setting helps protect against cross-site scripting attacks. You set this value with the
ColdFusion Administrator Enable Global Script Protection setting, in the Application.cfc This.scriptprotect
variable, or in the corresponding
feature, see cfapplication in the CFML Reference. For information on Application.cfc see
and its event handlers in
• Encryption and hashing functions: The
for encrypting and decrypting data or generating a hash "fingerprint." You can select from among several secure
algorithms that underlying Java security mechanisms support. For encryption, these include, AES, Blowfish, DES
and Triple DES. For more information, see the Encrypt, Decrypt, and Hash, functions in the CFML Reference.
• Data validation tools ColdFusion includes a variety of tools for validating form input and other data values,
including ways to ensure that users do not submit malicious form data. For information on data validation see
"Validating Data" on page 743; for specific information on security and validation, see
on page 747.
The ColdFusion Administrator can limit access to ColdFusion resources, including selected tags
Resource/Sandbox
and functions, data sources, files, and host addresses. In the Standard Edition, you configure a single set of resource
limitations that apply to all your ColdFusion applications.
In the Enterprise Edition, you can have multiple sandboxes, based on the location of your ColdFusion pages, each with
its own set of resource limitations. You can confine applications to secure areas, thereby flexibly restricting the access
that the application has to resources.
ColdFusion applications can require users to log in to use application pages. You can assign users to roles
User
(sometimes called groups); ColdFusion pages can determine the logged-in user's roles or ID and selectively determine
what to do based on this information. User security is also called authentication and authorization security.
Note: You can also use the
cfencode
distribute. Although this technique cannot prevent persistent hackers from determining the contents of your pages, it does
prevent inspection of the pages. The
tag
cfapplication
Application.cfc" on page 241.
,
Encrypt Decrypt,
utility, located in the cf_root/bin directory, to obscure ColdFusion pages that you
utility is not available on OS X.
cfencode
Last updated 1/20/2012
"Enhancing security with cfqueryparam" on page 416,
attribute. For more information on this
scriptprotect
and functions let you select a secure algorithm
Hash
"Defining the application
"Security considerations"
339