Does anyone have any guides, tips or suggestions on securing your web facing Lucee Coldfusion Applications?
Any tips or guides appreciated.
- lock down access to the /lucee/admin folder via your webserver
- move all your WEB-INF folders outside the context webroots Installing the Boncode connector and mod_cfml :: Lucee Documentation
- add samesite to all cookies via your webserver config and vote for this bug which is about adding native support from within Lucee [LDEV-1236] - Lucee
# Apache 2.4
Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict
- never trust user input, always encode it when outputting user input
- always use bound query parameters, i.e. cfqueryparam etc
- use CSRF tokens (samesite cookies makes them slightly rendundant)
1 Like
Server and code security concepts are covered fairly well at ColdFusion Security Guide CFML Documentation
1 Like