One more item for the ColdFusion Security Checklist - AJAX Debugging

This post is more than 2 years old.

I've had a ColdFusion Security Checklist for a while now, but there is an item I will have to add once ColdFusion 8 finally ships.

One of the cool new AJAX features is the debugger. You can turn it on by adding ?cfdebug to your request. While this is nice and cool (and very powerful), it is also something you probably don't want to allow on a public web site.

The ColdFusion 8 Administrator adds a new option in the Debug Output Settings page: Enable AJAX Debug Log Window

It is important to remember though that AJAX requests, by their very nature, are open to inspection, especially with tools like Firebug. So turning off the AJAX Debug Log Window is probably recommended, but don't have any unwarranted expectations about your AJAX code. It is as "safe" as hidden form fields or cookies. (In other words - you can't trust it.)

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA