System information
Adobe documentation - Confidential
URI
Purpose
Safe to Block
/CFIDE/services
Contains CFCs that can act as
a service layer to Flex, or
other client side applications.
The client application must
have a username / password
and also an allowed IP.
Enabling this feature can
open up a large amount of
security risk to the
application server.
Yes
/CFIDE/websocket
API for web socket listener
CFCs. Does not need to be
open via the web server if
used.
Yes
/CFIDE/wizards
Possibly used for IDE
integration, not needed on
production.
Yes
/CFIDE/main
Used for RDS
Yes
Table 2.10.2: Additional URIs to consider blocking:
URI
Purpose
Safe to Block
/Application.cf
Block Application.cfc and
Application.cfm requests which
result in an error when accessed
directly.
Yes
/WEB-INF
WEB-INF contains configuration
data used by the java
application server. The Tomcat
connector will block this
already, but you can block it at
the web server level as well.
Yes
/cfformgateway
Used for <cfform format=flash>
Only if Flash Forms are not
used.
Adobe documentation - Confidential