Security is a broad topic area and the threats are constantly evolving. Security encompasses more than just writing secure code, but also items like the configuration and setup of the servers and network, and practices and procedures for handling sensitive data.
In this chapter, we'll focus on areas of security that you have the most control over as a ColdFusion developer in order to help you write more secure ColdFusion code and understand the security settings in the ColdFusion Administrator, making it more difficult for an attacker to exploit your web application. We say "more difficult" because no web application can be 100% secure.
There are several shifts in thought required.
Deny lists are lists of known "bad" (sometimes referred to as a Black list) patterns. Since there are always
new attacks, black lists will always keep growing and are only as good
as the known pattern it can detect. ColdFusion 7 introduced a feature
called Script Protect that provided minimal Cross-site Scripting (XSS)
prevention and is an example of a deny list. It could block input that
<script> tags while still allowing
<iframe> because it was not
included in the pattern to look for.
Allow lists, on the other hand, are a list of "good" values or patterns that the web application will accept for a given input, and all others are rejected. Allow lists are sometimes referred to as White lists. Allow lists have the advantage in that they are a finite set and can be used as part of the server side validation of data. An example of a white list would be a list of US States abbreviations used to check the value of the State form field on a form.
Using allow lists is the preferred approach and will be shown throughout this chapter in the examples.