Howto Require SSL for ColdFusion Administrator
A good security practice is to require SSL for ColdFusion administrator access (an even better practice is to limit access to localhost). This should only take less than five minutes on either Apache or IIS.
Require HTTPS on Apache 2
<Location /CFIDE/administrator> SSLRequireSSL </Location>
Just add the above to your
httpd.conf file, just make sure it appears below
LoadModule ssl_module. Restart Apache, and you should get a 403 Forbidden response on
http and it should work over
https. I tested this on Apache 2.2, I think it should work on prior versions as well, but I have not tested them.
Require HTTPS on ISS
- Open up IIS Manager Console
- Right click on the
- Click Directory Security Tab
- Under Secure Communications click Edit
- Enable Require secure channel (SSL)
Like this? Follow me ↯Tweet Follow @pfreitag
Howto Require SSL for ColdFusion Administrator was first published on October 23, 2009.
If you like reading about ssl, coldfusion, administrator, cfide, or security then you might also like:
- Is your ColdFusion Administrator Actually Public?
- New HackMyCF Features
- Changing the ColdFusion CFIDE Scripts Location
- Locking Down ColdFusion Presentation Slides
- Speaking at ColdFusion Summit Online Next Week
- OpenSSL and ColdFusion / Lucee / Tomcat
- ColdFusion Security Training Class December 2022
- ColdFusion Summit 2022 Slides
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.
The weekly newsletter for the CFML Community
@Michael check out http://www.adobe.com/devnet/coldfusion/articles/cf7_security_04.html for info on locking down the CF admin in IIS (including limiting it to localhost). The article is for CF7 but I have tested it with CF8.
And you et an account on Twitter?