pf » Howto Require SSL for ColdFusion Administrator
October 23, 2009
Howto Require SSL for ColdFusion Administrator
A good security practice is to require SSL for ColdFusion administrator access (an even better practice is to limit access to localhost). This should only take less than five minutes on either Apache or IIS.
Require HTTPS on Apache 2
<Location /CFIDE/administrator> SSLRequireSSL </Location>
Just add the above to your httpd.conf file, just make sure it appears below LoadModule ssl_module. Restart Apache, and you should get a 403 Forbidden response on http and it should work over https. I tested this on Apache 2.2, I think it should work on prior versions as well, but I have not tested them.
Require HTTPS on ISS
- Open up IIS Manager Console
- Right click on the
CFIDE/administrator/directory - Click Directory Security Tab
- Under Secure Communications click Edit
- Enable Require secure channel (SSL)
Permalink | Add Comment |
add to del.icio.us
| Tags: ssl, coldfusion, administrator, cfide, security
add to del.icio.us
| Tags: ssl, coldfusion, administrator, cfide, security
Related Entries
- Hands on ColdFusion Security Training - February 4, 2010
- ColdFusion 9 Solr Vulnerability - Are you at Risk? - January 29, 2010
- CFLogin Security Considerations - December 10, 2009
- How to Get a Green SSL Certificate - November 18, 2009
- FuseGuard Released - Protects your ColdFusion Apps - November 12, 2009
Trackback Address: 725/7860C8E30F769B9A7318A11D40094B3A
Comments
On 10/26/2009 at 7:54:00 AM EDT Michael wrote:
1
How do you limit access to ColdFusion Administrator to just localhost?
On 10/27/2009 at 4:30:46 PM EDT Marc wrote:
2
Does anyone have information on IP spoofing protection in general and specifically for IIS 6? For example trying to reach a page that IIS limits to 127.0.0.1 or 192.168.1.X
@Michael check out http://www.adobe.com/devnet/coldfusion/articles/cf7_security_04.html for info on locking down the CF admin in IIS (including limiting it to localhost). The article is for CF7 but I have tested it with CF8.
On 12/25/2009 at 4:10:27 AM EST 0lz wrote:
3
I want to quote your post in my blog. It can? And you et an account on Twitter?
On 12/28/2009 at 8:50:13 AM EST Pete Freitag wrote:
4
@Olz - Yes you may quote my article on your blog as long as you link back to the article in your post. My account on twitter is: http://twitter.com/pfreitag (not sure if that's what you were asking)
- J2EE Session Cookies on ColdFusion / JRun
- Hands on ColdFusion Security Training
- ColdFusion 9 Solr Vulnerability - Are you at Risk?
- FCKEditor Year 2010 Bug for Firefox 3.6
- jQuery UI Sortable Tutorial
- CFLogin Security Considerations
- Use varchar(max) instead of text in SQL Server
- ColdFusion SOAP Web Services and onRequestStart
Subscribe to my RSS Feed:
RSS
RSS


Pete Freitag is a software engineer, and web developer located in











