1

I'm trying to lock down a website administration area, first things first I need to add session check to an Application.cfm! This should handle all CFM files, regardless of location.

But what do I do about CSS, JS and HTML files being accessed directly?

Any other security suggestions? Thanks

Daniel Cook
  • 1,033
  • 1
  • 9
  • 19
  • What do you mean by CSS, JS and HTML files being accessed directly? Those files will always be visible to your users and there is no way around it. If the browser can understand it then the user can understand it too. – Zed Jan 31 '13 at 13:05
  • So we cannot protect the likes of domain/admin/assets/stylesheet.css if a user is not logged in? – Daniel Cook Jan 31 '13 at 13:11
  • You _can_ protect those (in various ways); the question is do you _need_ to? What does a stylesheet contain that is sensitive? – Peter Boughton Jan 31 '13 at 13:12
  • I guess my main concern is the CFM files, I just wanted to be thorough - if non CFM files cannot create a security breach then I suppose I don't need to. – Daniel Cook Jan 31 '13 at 13:15
  • It's not non-CFM files you want to consider, it's static vs scripting. HTML, CSS, JS files are all static files - they don't _do_ anything on the server, can't obtain data from the database, etc. – Peter Boughton Jan 31 '13 at 13:18
  • (Of course, if your JS files contain AJAX/REST requests, the target of those needs to be appropriately secured. This is _probably_ covered by your CFML security, but potentially outside of a normal Application, so worth checking.) – Peter Boughton Jan 31 '13 at 13:19
  • Thanks I was just mulling over AJAX, if they try to make an AJAX call to the cfc which is sitting in a subfolder of 'admin' then the Application.cfm security check should handle it I assume. – Daniel Cook Jan 31 '13 at 13:22
  • 1
    Assume nothing. Try it and see what happens. – Dan Bracuk Jan 31 '13 at 13:24
  • What Dan says - it _should_ handle it, but don't assume it will; make sure it does. – Peter Boughton Jan 31 '13 at 13:30

1 Answers1

2

Any static files (html, jpg, css, pdf, mdb(lol), etc) can be secured by placing them outside the web root and using cfheader and cfcontent to access the files. Your CFM file with cfheader and cfcontent should be covered by your application security.

<cfheader name="content-disposition" value="attachment; filename=myAwesomeAccessDatabaseIsTheBombDigity.mdb">
<cfcontent type="application/x-msacces" file="c:\NotMyWebsite\myAwesomeAccessDatabaseIsTheBombDigity.mdb">

Doing this with an HTML file is kind of silly though because the linked assets (CSS, JS, JPG, etc) won't be accessible if they are also below your web root. Html, css, js, images (unless you're running a graphic sales website) don't usually need to be protected like that.

Peter Boughton
  • 110,170
  • 32
  • 120
  • 176
genericHCU
  • 4,394
  • 2
  • 22
  • 34
  • 1
    Also worth pointing out that this causes requests to go via CF - rather than just the web server - thus increasing load. Not a problem for occasional use, but something to be aware of if regularly used (as it might be if sending CSS/JS via it). – Peter Boughton Jan 31 '13 at 15:31
  • Oh, and whenever doing cfcontent like this, you should generally either send no-cache headers (if caching not wanted), or send appropriate expires headers, and detect/handle If-Modified-Since and respond with 304 not modified. – Peter Boughton Jan 31 '13 at 15:35
  • Good tip on the caching. I didn't mention server security because it may not be an option on a shared server or handling security outside of the application just isn't an option. assuming the ability is there and securing those files is a must, doing so at the OS level is certainly doable. – genericHCU Jan 31 '13 at 16:13
  • Just for a bit of background - It's a fairly high profile website, they have their own infrastructure and host their own applications. – Daniel Cook Jan 31 '13 at 16:26