Getting Started with ColdFusion Security

This post is more than 2 years old.

A reader just asked:

Hello, I am Brazilian and I am starting to develop with ColdFusion. I would like some tips on how to develop with security, my applications, so you never have problems. Thanks.

That's a pretty huge question. Before I start to delve into some answers, I think it is absolutely critical that you never assume you will not have problems. You will always have problems. You can - however - work very hard to mitigate and minimize your problems as much as possible. When it comes to security, there is absolutely no "silver bullet" that you can do once and simply move on from. Security is an ongoing, ever present concern.

With that out of the way, here are some resources that I think can help you. I encourage my readers to add to this list.

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA

Archived Comments

Comment 1 by Sarah Kelly posted on 7/8/2010 at 5:28 PM

Very timely post, Ray! I'm sitting here in a web application security class...

I would recommend Jason's website ( as a great general resource, but there's so much there that it can be a bit overwhelming. I really like how you've simplified where to *start*.

Comment 2 by LD posted on 7/8/2010 at 6:04 PM

Indeed. Just finished a security course and was searching for CF specific info. Thanks

Comment 3 by David Hammond posted on 7/8/2010 at 6:32 PM

Two more great general resources for learning about website security are:

OWASP Top 10:


I have not had time to go through Jarlsberg completely, but from what I've seen it's a really nice introduction to identifying security problems by example.

Comment 4 by Rodion Bykov posted on 7/8/2010 at 8:30 PM

Thank you for links, useful.

"Security is an ongoing, ever present concern.".
My fellow developer in a bank says "Security is a process".

Comment 5 by Sebastiaan posted on 7/9/2010 at 1:18 PM

I'd, like Sarah Kelly, recommend the extensive security series Jason Dean has created on his website:

I learned a lot from them, not only locking down your server but also on how to program with security in mind.

Comment 6 by Sebastiaan posted on 7/9/2010 at 1:35 PM

And for those of you on ACF8:

Here you can find similar documents for earlier versions of ACF, as many companies haven't made the jump to ACF9.

For Railo users: Hmmm, documentation still needs to improve. Googling doesn't really provide me with the desired information, not like ACF. Locking down the Administrator is possible, but otherwise I guess one has to follow the guidelines set out by Adobe.

Comment 7 by Tom Chiverton posted on 7/9/2010 at 1:54 PM

Might I suggest for some practical advice too ?