Adobe® ColdFusion® 10 Server Lockdown Guide
Adobe® ColdFusion® 10 Server Lockdown Guide
Adobe® ColdFusion® 10 Server Lockdown Guide
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Section 5: ColdFusion Administrator Settings<br />
In this section several recommendations are made for ColdFusion server settings. It is important to understand<br />
that changes to some of these settings may affect how your website functions, and performs. Be sure to<br />
understand the implications of all settings before making any changes.<br />
5.1 <strong>Server</strong> Settings > Settings<br />
Setting Default Recommendation Description<br />
Timeout Requests<br />
after<br />
Use UUID for<br />
cftoken<br />
Disable CFC Type<br />
check<br />
Checked / 60 Sec. Checked / 5 Sec. Set this value as low as possible.<br />
Any templates (such as scheduled<br />
tasks) that might take longer, should<br />
use the cfsetting tag. For<br />
example: <br />
Unchecked Checked The default cftoken values are<br />
sequential and make it fairly easy to<br />
hijack sessions by guessing a valid<br />
CFID / CFTOKEN pair. This setting<br />
is not necessarily required if J2EE<br />
session are enabled, however it<br />
doesn’t hurt to turn it on anyways.<br />
Unchecked Unchecked Developers may rely on the<br />
argument types, enabling this setting<br />
might allow attackers to cause new<br />
exceptions in the application. This<br />
setting may be enabled if the<br />
developer(s) have built the<br />
application to account for this.<br />
57