There are some interesting new features in ColdFusion 8 related to security that I thought I'd share. I just discovered them myself (I'm writing one of the Ajax chapters for CFWACK) and I thought I'd share.
JSON Prefixes
The first new feature is JSON Prefixes. A JSON prefix is simply a string put in front of your JSON to prevent malicious code from being executed automatically. If you go to your ColdFusion Administrator, you will see a new option under Settings:
Prefix serialized JSON with
This is disabled by default. If you do enable it the default is //, which represents a JavaScript comment. You can also set this security setting directly in your Application.cfc file using two new settings:
secureJSON
secureJSONPrefix
So for example, I could have this in my Application.cfc:
<cfset this.secureJSON = "true">
<cfset this.secureJSONPrefix = "//">
Now here is the truly cool part. All JavaScript code that ColdFusion generates will automatically work with these settings and remove the prefix before it works with your JSON. Seems darn easy to use.
Also - you can enable secureJSON at the CFFUNCTION level by adding secureJSON="true" to your method. You cannot, however, set a custom prefix.
VerifyClient
Now this is in an interesting one. You can now add verifyClient="true" to a CFFUNCTION, or add <cfset verifyClient()> on top of a CFM page. When used, ColdFusion will look for a special encrypted token sent in by Ajax requests. The docs say that you should only use this option for CFC methods/CFM pages that are called by Ajax requests. You also have to enable client or session management for this to work.
For more information, see page 685 of the ColdFusion 8 Developer's Guide.
Archived Comments
Where's ColdFusion 8 Developer's Guide located Ray
I wish we had the VerifyClient for Flex. I get nervous when the methods are give access="remote". Of course there are ways to manually verify the client, but if it was done automatically that would be great and in line with "Making hard stuff easier"
@John:
http://www.adobe.com/suppor...
So what does the secureJSON prefix mechanism actually prevent? Like a hacker that has some program that intercepts JSON results and acts on them before the browser does? Are there any good resources for learning about why this is really useful?
Should we be implementing the translation manually in AJAX operations not generated by ColdFusion? Is it worth it?
I'll be honest and say I find it a bit confusing. I believe the idea is that the hacker someone gets in the way and sends different JSON to you. But if they don't put the proper 'prefix' in front, your front end client would consider it invalid. Now, to me, if I was a hacker, I'd just dig and see what prefix is expected, so I don't get how this helps much.