ColdFusion 9 Wish list - Server Installation

May 16, 2008

So currently ColdFusion has three basic installation choices: Self-contained, J2EE with JRun or J2EE EAR/WAR. It will also ask a couple of questions, like if you want RDS service on or not, etc.

Now, when you install ColdFusion, it is not really setup for production purposes – hosting ‘live’ applications securely. Most services are on and not really locked down. To properly lock down ColdFusion for a production environment, it actually takes a good deal of time. Adobe has a good article on this subject at: http://www.adobe.com/devnet/coldfusion/articles/cf7_security.html

This, of course, could be far easier if ColdFusion had an additional set of options in the setup to determine the purpose of the installation: development (low security) or production (high security). This would solve two particular issues that I see. First, it would greatly reduce the setup time for a production level ColdFusion server. Secondly, it would further remind people that the default (low security) installation is not design for hosting ‘live’ applications.

Below are some of the items I think a production installation of ColdFusion should address. Of course, these items are involved directly with the ColdFusion installation process. There would be other items dealing with the server and the web server specifically that this feature could not address.

- Have only the HEAD,GET and POST http verbs (methods) turn on for IIS or Apache. .NET does this, why not CF?
- Disable the RDS service.
- Turn off CF ODBC services, production applications should be using SQL Server, Oracle and maybe MySQL. All of these do not require the use of the CF ODBC services.
- Have ColdFusion run under its own account. Not, as in Windows, running under the Local System Account. Once again, .NET does this and it’s a fairly simple thing to do.
- Turn on UUID for CFTokens
- Do not install the documentation or sample applications.
- Turn off debugging
- By default, have sandbox security turn on
- Disable access to internal ColdFusion Java components
- Default client variable storage to cookie instead of registry (in fact take the registry option out)

There are other items that I address in particular like the maximum session timeouts, but these are items that are more to do with my particular style. The list above hits several of the bigger items.

Another issue is the location of the ColdFusion administrator and for that matter the cfcexplorer and AdminAPI CFCs. The CFIDE mapping should really be split into two separate mappings. The CF administrator, cfcExplorer and the AdminAPI CFCs should be in one mapping called CFADMIN. In our production mode setup, this mapping should be locked down to the localhost. The scripts folder which has all the libraries that run the Flash Forms and AJAX features should be in a second mapping called CFEXT, for ColdFusion extensions. Or we can call it CFLIB for ColdFusion library. You get the idea. The scripts, classes, images and maybe the debug folder should be included in this second mapping as well.

Comments

Flüge Australien

Flüge Australien wrote on 08/26/08 6:42 AM

I find the idea of a wish list marvelous! I wonder why there are so little contributors commenting here. In my eyes your wish list is great, the question is only about what the developers will adopt.
Airline Bewerten

Airline Bewerten wrote on 10/21/08 9:33 PM

I guess I have just always found a solution for those situations never to really think about it. With all of the list and array methods I am wondering where this would come in hand? Good start though, thanks for your thoughts!
Garten

Garten wrote on 02/19/09 12:37 PM

I would really like to find out what developers are looking for in the next version of ColdFusion. I am trying to put together a wish list to pass on to the engineering team (I know I am behind on this, sorry guys) and I am drawing a blank. I have a list of about 5 things right now so I could really use some feedback.
John Mason

John Mason wrote on 02/19/09 2:17 PM

Garten,

The next CF edition is already in Alpha. It would be too late to incorporate any new features at this point. I would wait and see what this next release has and then compile your wish list after that. I would suspect the beta should be out fairly soon.
Girokonto

Girokonto wrote on 07/19/09 1:50 PM

A wishlist would be great, but I think its not possible to realizie everything.
XTC-Templates

XTC-Templates wrote on 08/23/09 1:21 PM

when does the first beta will be released ?
Mike

Mike wrote on 10/08/09 2:27 PM

I would wait and see what this next release has and then compile your wish list after that.

Write your comment



(it will not be displayed)