User Guide

Table Of Contents
374 Chapter 16: Securing Applications
ColdFusion security features
ColdFusion provides scalable, granular security for building and deploying your ColdFusion
applications.
ColdFusion provides the following types of security resources:
Development ColdFusion MX Administrator is protected by a password. Additionally, you can
specify a password for access to data sources from Macromedia Dreamweaver MX. For more
information on configuring Administrator security passwords, see the ColdFusion MX
Administrator online Help.
CFML features The CFML language includes specific features that you can use to enhance
application security. These include the following features:
The cfqueryparam tag This tag helps prevent users from injecting malicious SQL
expressions. For more information on using this tag for database security, see “Enhancing
security with cfqueryparam” on page 472,
Scriptprotect setting This setting helps protect against cross-site scripting attacks. You can set
this value with the ColdFusion MX Administrator Enable Global Script Protection setting, in
the Application.cfc This.scriptprotect variable, or in the corresponding
cfapplication tag
scriptprotect attribute. For more information on this feature, see cfapplication in CFML
Reference. For information on Application.cfc see “Defining the application and its event
handlers in Application.cfc” on page 282.
Encryption and hashing functions The Encrypt, Decrypt, and Hash functions let you select
a secure algorithm for encrypting and decrypting data or generating a hash “fingerprint.” You
can select from among several secure algorithms that are supported by the underlying Java
security mechanisms; for encryption, these include, AES, Blowfish, DES and Triple DES. For
more information, see the
Encrypt, Decrypt, and Hash, functions in CFML Reference.
Data validation tools ColdFusion includes a variety of tools for validating form input and
other data values, including ways to ensure that users do not submit malicious form data. For
information on data validation see Chapter 28, “Validating Data,” on page 659; for specific
information on security and validation, see “Security considerations” on page 664.
Note: This chapter does not discuss development or CFML language security features. For
additional information on security in ColdFusion programs, see the security entries in the index.
Resource/Sandbox
The ColdFusion MX Administrator can limit access to ColdFusion
resources, including selected tags and functions, data sources, files, and host addresses. In the
Standard Edition, you configure a single set of resource limitations that apply to all your
ColdFusion applications.
In the Enterprise Edition, you can have multiple sandboxes, based on the location of your
ColdFusion pages, each with its own set of resource limitations. You can confine applications to
secure areas, thereby flexibly restricting the access that the application has to resources.
User ColdFusion applications can require users to log in to use application pages. You can
assign users to roles (sometimes called groups); ColdFusion pages can determine the logged-in
user’s roles or ID and selectively determine what to do based on this information. User security is
also called authentication and authorization security.