Application Security Practice, Suggestions

Does anyone have any guides, tips or suggestions on securing your web facing Lucee Coldfusion Applications?

Any tips or guides appreciated.

  1. lock down access to the /lucee/admin folder via your webserver
  2. move all your WEB-INF folders outside the context webroots https://docs.lucee.org/guides/installing-lucee/windows/installing-the-boncode-connector-and-mod_cfml.html#optional-relocating-web-inf-files-outside-the-web-root
  3. add samesite to all cookies via your webserver config and vote for this bug which is about adding native support from within Lucee https://luceeserver.atlassian.net/browse/LDEV-1236
# Apache 2.4 
Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict
  1. never trust user input, always encode it when outputting user input
  2. always use bound query parameters, i.e. cfqueryparam etc
  3. use CSRF tokens (samesite cookies makes them slightly rendundant)
1 Like

Server and code security concepts are covered fairly well at https://cfdocs.org/security

1 Like