Howto Require SSL for ColdFusion Administrator

October 23, 2009

A good security practice is to require SSL for ColdFusion administrator access (an even better practice is to limit access to localhost). This should only take less than five minutes on either Apache or IIS.

Require HTTPS on Apache 2

<Location /CFIDE/administrator>
	SSLRequireSSL
</Location>

Just add the above to your httpd.conf file, just make sure it appears below LoadModule ssl_module. Restart Apache, and you should get a 403 Forbidden response on http and it should work over https. I tested this on Apache 2.2, I think it should work on prior versions as well, but I have not tested them.

Require HTTPS on ISS

Open up IIS Manager Console
Right click on the CFIDE/administrator/ directory
Click Directory Security Tab
Under Secure Communications click Edit
Enable Require secure channel (SSL)

Permalink | Add Comment |

add to del.icio.us | Tags: ssl, coldfusion, administrator, cfide, security

Related Entries

Is your ColdFusion Administrator Actually Public? - April 28, 2010
Changing the ColdFusion CFIDE Scripts Location - January 10, 2011
Locking Down ColdFusion Presentation Slides - August 4, 2010
J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
Learn about ColdFusion Security at cfObjective 2013 - March 6, 2013

2 people found this page useful, what do you think?

Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 725/7860C8E30F769B9A7318A11D40094B3A

Comments

On 10/26/2009 at 9:54:00 AM EDT Michael wrote:

How do you limit access to ColdFusion Administrator to just localhost?

On 10/27/2009 at 6:30:46 PM EDT Marc wrote:

Does anyone have information on IP spoofing protection in general and specifically for IIS 6? For example trying to reach a page that IIS limits to 127.0.0.1 or 192.168.1.X

@Michael check out http://www.adobe.com/devnet/coldfusion/articles/cf7_security_04.html for info on locking down the CF admin in IIS (including limiting it to localhost). The article is for CF7 but I have tested it with CF8.

On 12/25/2009 at 6:10:27 AM EST 0lz wrote:

I want to quote your post in my blog. It can? And you et an account on Twitter?

On 12/28/2009 at 10:50:13 AM EST Pete Freitag wrote:

@Olz - Yes you may quote my article on your blog as long as you link back to the article in your post. My account on twitter is: http://twitter.com/pfreitag (not sure if that's what you were asking)

On 10/12/2011 at 6:36:25 PM EDT Sn3akyP3t3 wrote:

For IIS 7 another setting presents itself. Which setting should be selected for optimal security?

After "Select Require SSL – Click apply"

A question here is for Client certificates –

Ignore is least secure (default) – does not require clients to verify their identity before gaining access to content

Accept – accept client cert (if provided) & to verify client identity before allowing access to content

Require – requires cert to verify client identity before allowing access to content

On 06/08/2012 at 6:23:11 AM EDT G31 wrote:

You can also just remove the admin directory when its not in use, restoring it when you need to access it - anyone see any problems with this?