System information

Adobe documentation - Confidential

the files located in {cf.instance.home}/runtime/conf/ contain important configuration files utilized by

the Tomcat container.

Adding ClickJacking Protection

ColdFusion 10 introduced two Servlet Filters CFClickJackFilterDeny and CFClickJackFilterSameOrigin.

When a URL is mapped to one of these servlets the X-Frame-Options HTTP header will be returned with

a value of DENY or SAMEORGIN. You can add a filter-mapping in web.xml to enable these filters for a

given URI, this functionality could also be accomplished at the web server level.

Restricting HTTP Verbs

Most web applications only need to function on GET, HEAD and POST. Applications that make use of

Cross Origin Resource Sharing (CORS) will also require the OPTIONS header. Servers that host REST web

services may require additional HTTP methods.

Whitelisting HTTP Verbs in Apache

The Limit and LimitExcept directives can be used to apply configuration based on the HTTP method. For

example to deny all requests except GET, HEAD and POST you can add the following to your httpd.conf:

Order Deny,Allow

Deny from all

</LimitExcept>

</Location>

TraceEnable off

Note that LimitExcept does not apply to the HTTP TRACE method. The TRACE method can be disabled

using the Apache directive TraceEnable. Restart Apache.

Whitelisting HTTP Verbs in IIS

Click on the root node in IIS and double click Request Filtering and select the HTTP Verbs tab. Click Allow

verb and each HTTP verb you want to allow.

Now to disallow any verb that has not been explicitly allowed, click Edit Feature Settings and Uncheck

Allow unlisted verbs.

Security Constraints in web.xml

The servlet container (Tomcat) can enforce certain security constraints to ensure that a given URI is

secured, or to limit certain URIs to HTTP POST over a secure (SSL) connection:

<security-constraint>

<display-name>POST SSL</display-name>

<web-resource-collection>

Adobe documentation - Confidential