Top Ten Web Security Tips
By Michael Smith Michael@teratech.com
All website are potentially vulnerable to hackers. Follow
these steps to make your site much more secure.
Items marked (*) can be coded once in Application.cfm
* Have an Error Handler
Don’t display detailed error message – email error to admin
instead using CFERROR and CFMAIL. Don’t store error info in hidden form fields
– it can be viewed!
Don’t give extra info in error messages – eg userid correct
but password wrong
Prevent Cross-site scripting – URL and FORM variable
* Use URLEncrypt and Decrypt from www.cflib.org
Checksum hidden FORM fields to prevent them from being
* Scan and remove dangerous characters from URL/FORM
* Prevent Fake form submits – check referrer CGI.
HTTP_REFERER in same domain
* Use CGI. CF_TEMPLATE_PATH to control what is run – eg
Prevent Viewing other users data by changing URL or FORM
parameters - checksum
Validate all URL and FORM input – use CFPARAM to check data type and
required fields, use CFQUERYPARAM for all CF variables in SQL.
Use Server side validation to back up client side
can be disabled by user.
Logon – require hard passwords, timeout after 3
failures. Store hashed password instead of plain text in database.
* Timeout client and session – roll your own timeout.
Protect Back button.
Protect use of CFFILE uploads and CFCONTENT file
display – hacker can upload dangerous CFM files or view your source code.
latest patches for Windows, IIS and CF
software that is not used
hard to guess long passwords with numbers in
What Security Means
is hard because a hacker only needs one window to be open to get in while
you must close all the holes. Assume bad things will happen and code for
is a way of thinking – “How can they get in to this page?”
knowledge is power - don’t keep security tips secret!