Adobe 38043740 - ColdFusion Standard - Mac Development Manual page 892

DEVELOPING COLDFUSION 9 APPLICATIONS
Requesting and Presenting Information
Improving security
ColdFusion includes several capabilities that help to ensure the security of Ajax application. Also, the ColdFusion
Administrator disables output to the client-side logging window by default (see
• To prevent cross-site scripting, you cannot use remote URLs in code that executes on the client. For example, if you
use a URL such as http://www.myco.com/mypage.cfm in a
not load in the window and the window shows an error message. If you must access remote URLs, do so in CFML
code that executes on the server, for example, by using a
• When a CFC function returns remote data in JSON format, by default, the data is sent without any prefix or
wrapper. To help prevent cross-site scripting attacks where the attacker accesses the JSON data, you can tell
ColdFusion to prefix the returned data with one or more characters. You can specify this behavior in several ways.
The value of an item in the following list is determined by the preceding item in this list:
In the Administrator, enable the Prefix Serialized JSON option on Server Settings > Settings page (the default
1
value is ). You can also use this setting to specify the prefix characters. The default prefix is
false
the JavaScript comment marker that turns the returned JSON code into a comment from the browser's
perspective. The // prefix helps prevent security breaches because it prevents the browser from converting the
returned value to the equivalent JavaScript objects.
Set the
2
Application.cfc
tag
cfapplication secureJSON
Set the tag
3
cffunction
As a general rule, use one of these techniques for any CFC or CFML page that returns sensitive data, such as
credit card numbers.
When you use any of these techniques, the ColdFusion Ajax elements that call CFC functions, including bind
expressions and the CFC proxies created by the
when appropriate. You do not have to modify your client-side code.
• ColdFusion provides capabilities that help prevent security attacks where an unauthorized party attempts to
perform an action on the server, such as changing a password. Use the following techniques to ensure that a request
to a CFML page or remote CFC function comes from a ColdFusion Ajax feature, such as a bind expression or CFC
proxy, that is a valid part of your application:
• In the tag in a CFC function that returns data to an Ajax client, specify a
cffunction
with a value of .
yes
• At the top of a CFML page or function that is requested by a ColdFusion Ajax client, call the
ColdFusion function. This function takes no parameters.
The function and attribute tell ColdFusion to require an encrypted security token in each request.
VerifyClient
To use this function, enable client management or session management in your application; otherwise, you do not
get an error, but ColdFusion does not verify clients.
Enable client verification only for code that responds to ColdFusion Ajax client code, because only the ColdFusion
Ajax library contains the client-side support code. Enabling client verification for clients other than ColdFusion
Ajax applications can result in the client application not running.
As a general rule, use this function for Ajax requests to the server to perform sensitive actions, such as updating
passwords. Typically, do not enable client verification for public APIs that do not need protected, search engine web
services. Also, do not enable client verification for the top-level page of an application, because the security token
is not available when the user enters a URL in the browser address bar.
file and
This.secureJSON
and
secureJSONPrefix
attribute. (You cannot use the
secureJSON
cfajaxproxy
Last updated 1/20/2012
"Enable logging
tag attribute, the remote page does
cfwindow source
tag on the page specified by a
cfhttp
This.secureJSONPrefix
attributes.
tag to set the prefix.)
cffunction
tag, automatically remove the security prefix
output" on page 884).
attribute.
source
, which is
//
variable values, or set the
attribute
verifyClient
VerifyClient
887