Adobe® ColdFusion® 10 Server Lockdown Guide
Adobe® ColdFusion® 10 Server Lockdown Guide
Adobe® ColdFusion® 10 Server Lockdown Guide
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Setting Default Recommendation Description<br />
Enable Global<br />
Script Protection<br />
Default ScriptSrc<br />
Directory<br />
Unchecked Understand<br />
limitations,<br />
Checked<br />
This setting provides very limited<br />
protection against certain Cross<br />
Site Scripting attack vectors. It is<br />
important to understand that<br />
enabling this setting does not<br />
protect your site from all possible<br />
Cross Site Scripting attacks.<br />
When this setting is turned on it uses<br />
a regular expression defined in the<br />
file neo-security.xml to<br />
replace input variables containing<br />
following tags: object, embed,<br />
script, applet, meta with<br />
InvalidTag. This setting does not<br />
restrict any javascript strings that<br />
may be injected and executed,<br />
iframe tags, or any XSS obfuscation<br />
techniques. See Appendix A.13 for<br />
more information on XSS attack<br />
vectors.<br />
/CFIDE/scripts/ /somewhere-else/ Because the scripts directory also<br />
contains CFML source code (such<br />
as FCKeditor), you should move this<br />
directory to a non-default location.<br />
60