One more item for the ColdFusion Security Checklist - AJAX Debugging

I've had a ColdFusion Security Checklist for a while now, but there is an item I will have to add once ColdFusion 8 finally ships.

One of the cool new AJAX features is the debugger. You can turn it on by adding ?cfdebug to your request. While this is nice and cool (and very powerful), it is also something you probably don't want to allow on a public web site.

The ColdFusion 8 Administrator adds a new option in the Debug Output Settings page: Enable AJAX Debug Log Window

It is important to remember though that AJAX requests, by their very nature, are open to inspection, especially with tools like Firebug. So turning off the AJAX Debug Log Window is probably recommended, but don't have any unwarranted expectations about your AJAX code. It is as "safe" as hidden form fields or cookies. (In other words - you can't trust it.)

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA