The Adobe engineers are hard at work fixing bugs and preparing ColdFusion 10 for its final release. One of the interesting features that landed after the initial public release is a "Secure Profile" during installation. (Edit: Shilpi Khariwal just added a blog post on this new feature!) While installing ColdFusion, users can select to enable a Secure Profile that modifies around 20 default settings to help lock down the server. To be clear, this is not meant to be a one size fits all type solution nor is it meant to imply you can never worry about security again. Instead - it is simply meant to help guide people into a more secure production server.
This new feature is only available during installation. I thought it might be interesting to create a one page report tool covering those security options set up during installation. I wasn't able to get every single one (a few options are not available yet via the Admin API), but my report covers 17 settings. For each one it tells you your setting and the recommended setting. Good values are marked in green - bad values in red (or a red variant - I had design help by Rachel Lehman). Here's a screen shot:
Click the shot to embiggen (it's a word - AICN says so) and I apologize for not having a fancy jQuery-based lightbox setup.
Some of the features checked are:
- Robust exceptions
- Allowed SQL operations in DSNs
- RDS being enabled
- and more!
To install, read my guide on CF Admin extensions and - of course - use ColdFusion 10. This could easily be modified to work in ColdFusion 9 with a few IF checks here and there. The bits may be found at the Github repo (I'll add it to RIAForge once ColdFusion 10 is officially released.)