Choosing A Level Of Coldfusion Security - MACROMEDIA COLDFUSION 4.5-ADMINISTRING COLDFUSION SERVER Manual

276
inbound data and encrypt outbound data. Once the key is installed, the Web server
automatically encrypts or decrypts data as it is received or transmitted.
If your Web server connections are encrypted with SSL, all communications, including
ColdFusion transmissions, are automatically encrypted. You don't have to do anything
from within ColdFusion to activate data encryption.

Choosing a Level of ColdFusion Security

The rest of this chapter is designed to help you decide which type of ColdFusion
security is right for your particular development needs. Basic and Advanced security
are mutually exclusive ColdFusion features. When you install ColdFusion Server, Basic
security is turned on by default. If you turn on Advanced security, it automatically
overrides all your Basic security settings except one: Tags you protected with Basic
security remain protected when you implement Advanced security.
Note
As you begin to think about how you'll secure your Web applications, keep these
important points in mind:
Security is never absolute. Technology is fast-evolving and the Web is, by
nature, an environment that favors openness and access over privacy and
security. You should regularly review your security plans to make sure your
company hasn't outgrown them.
No single security model is perfect for every application or development
environment. For example, an intranet deployed only to employees from a
server behind your company's firewall and an e-commerce site on the Web
would have very different security plans. When they plan applications,
ColdFusion developers must weigh the costs and benefits of the various
security alternatives in the context of the project requirements.
Trust is perhaps the most important concept to consider when you're planning
any security strategy. When users decide whether or not to download
something from the Web, it usually depends on if they trust the site. The site
can engender trust in any number of ways, by providing a digital certificate, for
instance. Similarly, how open you choose to make your ColdFusion
environment depends on whether or not all your users are trusted. Generally
speaking, the level of trust is inversely proportional to the level of security you
need to implement. If trust is high — for example, if your development group
consists of five people and they all access the ColdFusion server over a LAN —
then you can probably manage with a less secure environment. However, if
trust is lower — for example, if you're an Internet Service Provider (ISP) hosting
a development site — then you'll need to implement a more complex and
If you turn off both Basic and Advanced security, all ColdFusion
resources and server administration functions become available to
anyone who has access to the server. When you install ColdFusion Server,
leave Basic security passwords in place until you've finalized your
security plan and are ready to implement it.
Administering ColdFusion Server