There are some interesting new features in ColdFusion 8 related to security that I thought I’d share. I just discovered them myself (I’m writing one of the Ajax chapters for CFWACK) and I thought I’d share.
The first new feature is JSON Prefixes. A JSON prefix is simply a string put in front of your JSON to prevent malicious code from being executed automatically. If you go to your ColdFusion Administrator, you will see a new option under Settings:
Prefix serialized JSON with
So for example, I could have this in my Application.cfc:
<cfset this.secureJSON = "true">
<cfset this.secureJSONPrefix = "//">
Also - you can enable secureJSON at the CFFUNCTION level by adding secureJSON=”true” to your method. You cannot, however, set a custom prefix.
Now this is in an interesting one. You can now add verifyClient=”true” to a CFFUNCTION, or add <cfset verifyClient()> on top of a CFM page. When used, ColdFusion will look for a special encrypted token sent in by Ajax requests. The docs say that you should only use this option for CFC methods/CFM pages that are called by Ajax requests. You also have to enable client or session management for this to work.
For more information, see page 685 of the ColdFusion 8 Developer’s Guide.