securitycoldfusioncoldfusion-7

Securing / Protecting a Website Administration area


I'm trying to lock down a website administration area, first things first I need to add session check to an Application.cfm! This should handle all CFM files, regardless of location.

But what do I do about CSS, JS and HTML files being accessed directly?

Any other security suggestions? Thanks


Solution

  • Any static files (html, jpg, css, pdf, mdb(lol), etc) can be secured by placing them outside the web root and using cfheader and cfcontent to access the files. Your CFM file with cfheader and cfcontent should be covered by your application security.

    <cfheader name="content-disposition" value="attachment; filename=myAwesomeAccessDatabaseIsTheBombDigity.mdb">
    <cfcontent type="application/x-msacces" file="c:\NotMyWebsite\myAwesomeAccessDatabaseIsTheBombDigity.mdb">
    

    Doing this with an HTML file is kind of silly though because the linked assets (CSS, JS, JPG, etc) won't be accessible if they are also below your web root. Html, css, js, images (unless you're running a graphic sales website) don't usually need to be protected like that.