There are some interesting new features in ColdFusion 8 related to security that I thought I'd share. I just discovered them myself (I'm writing one of the Ajax chapters for CFWACK) and I thought I'd share.

JSON Prefixes

The first new feature is JSON Prefixes. A JSON prefix is simply a string put in front of your JSON to prevent malicious code from being executed automatically. If you go to your ColdFusion Administrator, you will see a new option under Settings:

Prefix serialized JSON with

This is disabled by default. If you do enable it the default is //, which represents a JavaScript comment. You can also set this security setting directly in your Application.cfc file using two new settings:


So for example, I could have this in my Application.cfc:

<cfset this.secureJSON = "true"> <cfset this.secureJSONPrefix = "//">

Now here is the truly cool part. All JavaScript code that ColdFusion generates will automatically work with these settings and remove the prefix before it works with your JSON. Seems darn easy to use.

Also - you can enable secureJSON at the CFFUNCTION level by adding secureJSON="true" to your method. You cannot, however, set a custom prefix.


Now this is in an interesting one. You can now add verifyClient="true" to a CFFUNCTION, or add <cfset verifyClient()> on top of a CFM page. When used, ColdFusion will look for a special encrypted token sent in by Ajax requests. The docs say that you should only use this option for CFC methods/CFM pages that are called by Ajax requests. You also have to enable client or session management for this to work.

For more information, see page 685 of the ColdFusion 8 Developer's Guide.