Howto Require SSL for ColdFusion Administrator
A good security practice is to require SSL for ColdFusion administrator access (an even better practice is to limit access to localhost). This should only take less than five minutes on either Apache or IIS.
Require HTTPS on Apache 2
<Location /CFIDE/administrator> SSLRequireSSL </Location>
Just add the above to your
httpd.conf file, just make sure it appears below
LoadModule ssl_module. Restart Apache, and you should get a 403 Forbidden response on
http and it should work over
https. I tested this on Apache 2.2, I think it should work on prior versions as well, but I have not tested them.
Require HTTPS on ISS
- Open up IIS Manager Console
- Right click on the
- Click Directory Security Tab
- Under Secure Communications click Edit
- Enable Require secure channel (SSL)
- Is your ColdFusion Administrator Actually Public? - April 28, 2010
- New HackMyCF Features - October 24, 2013
- Changing the ColdFusion CFIDE Scripts Location - January 10, 2011
- Locking Down ColdFusion Presentation Slides - August 4, 2010
- CFSummit 2016 Slides - October 17, 2016
@Michael check out http://www.adobe.com/devnet/coldfusion/articles/cf7_security_04.html for info on locking down the CF admin in IIS (including limiting it to localhost). The article is for CF7 but I have tested it with CF8.
And you et an account on Twitter?
After "Select Require SSL – Click apply"
A question here is for Client certificates –
Ignore is least secure (default) – does not require clients to verify their identity before gaining access to content
Accept – accept client cert (if provided) & to verify client identity before allowing access to content
Require – requires cert to verify client identity before allowing access to content
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained