Does anyone have any guides, tips or suggestions on securing your web facing Lucee Coldfusion Applications?
Any tips or guides appreciated.
- lock down access to the /lucee/admin folder via your webserver
- move all your WEB-INF folders outside the context webroots https://docs.lucee.org/guides/installing-lucee/windows/installing-the-boncode-connector-and-mod_cfml.html#optional-relocating-web-inf-files-outside-the-web-root
- add samesite to all cookies via your webserver config and vote for this bug which is about adding native support from within Lucee https://luceeserver.atlassian.net/browse/LDEV-1236
# Apache 2.4
Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict
- never trust user input, always encode it when outputting user input
- always use bound query parameters, i.e. cfqueryparam etc
- use CSRF tokens (samesite cookies makes them slightly rendundant)
Server and code security concepts are covered fairly well at https://cfdocs.org/security