As you know one of the first things you should do on a production ColdFusion server is disable robust exception information (this includes things like source code, and file path disclosures in error messages), in the ColdFusion Administrator.

If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings.

Note: This is one issue that HackMyCF.

Yesterday I gained access to the Google App Engine for Java, early release program, and as any CFML developer would do, I tried getting a CFML server (both Railo and OpenBD) to run on it. I posted some of my experiences on twitter, unfortunately I was unsuccessful.