ColdFusion security features

ColdFusion provides scalable, granular security for building and deploying your ColdFusion applications.
ColdFusion provides the following types of security resources:

  • Development ColdFusion Administrator is password-protected. Additionally, you can specify a password for access to data sources from Dreamweaver. For more information on configuring Administrator security passwords, see the ColdFusion Administrator online Help.
  • CFML features The CFML language includes the following features that you can use to enhance application security.
    • The cfqueryparam  tag: This tag helps prevent users from injecting malicious SQL expressions. For more information on using this tag for database security, see Enhancing security with cfqueryparam ,
    • Scriptprotect setting: You can use this setting to protect against cross-site scripting attacks. However, using Scriptprotect does not ensure complete protection. Set this value with the ColdFusion Administrator Enable Global Script Protection setting, in the Application. cfc This.scriptprotect variable, or in the corresponding  cfapplication  tag  scriptprotect  attribute. For more information on this feature, see  cfapplication  in the CFML Reference. For information on Application.cfc see Defining the application and its event handlers in Application.cfc.
    • Encryption and hashing functions: The Encrypt, Decrypt, and Hash functions let you select a secure algorithm for encrypting and decrypting data or generating a hash "fingerprint." You can select from among several secure algorithms that underlying Java security mechanisms support. For encryption, these include, AES, Blowfish, DES and Triple DES. For more information, see the EncryptDecrypt, and Hash, functions in the CFML Reference.
    • Data validation tools: ColdFusion includes a variety of tools for validating form input and other data values, including ways to ensure that users do not submit malicious form data. For information on data validation see  Validating data; for specific information on security and validation, see Security considerations in About ColdFusion validation.
  • Resource/Sandbox The ColdFusion Administrator can limit access to ColdFusion resources, including selected tags and functions, data sources, files, and host addresses. In the Standard Edition, you configure a single set of resource limitations that apply to all your ColdFusion applications.In the Enterprise Edition, you can have multiple sandboxes, based on the location of your ColdFusion pages, each with its own set of resource limitations. You can confine applications to secure areas, thereby flexibly restricting the access that the application has to resources.
  • UserColdFusion applications can require users to log in to use application pages. You can assign users to roles (sometimes called groups); ColdFusion pages can determine the logged-in user's roles or ID and selectively determine what to do based on this information. User security is also called authentication and authorization security.


You can also use the cfencode utility, located in the cf_root/bin directory, to obscure ColdFusion pages that you distribute. Although this technique cannot prevent persistent hackers from determining the contents of your pages, it does prevent inspection of the pages. The cfencode utility is not available on OS X.


Get help faster and easier

New user?