This section controls several important aspects of the server related to performance and error handling. This is one of the most important pages in the ColdFusion Administrator, as settings here affect the overall behavior of your server. Any updates to settings on this page should be reasoned through and methodically tested before implementing in a production environment.

Timeout Requests After (Seconds)

Timeout Requests

Enabling this setting will enforce a ceiling on request times. Any requests that exceed this duration will be terminated by ColdFusion.

It is highly advisable to enable this setting. Allowing ColdFusion to process a request for an indefinite amount of time can lead to hung threads (requests that will not complete). Given that ColdFusion has a finite number of threads available to process requests, enough hung threads can prevent ColdFusion from serving any requests. By setting this value, you are defining an upper limit on how long a request should process. Requests taking longer are removed.

Tip: If your site has certain pages that are allowed to exceed your defined maximum timeout, you can override this setting with the <cfsetting> tag on a per-page basis. This will allow you to set a reasonable timeout globally and ignore it when necessary.

According to Nielsen, after 8 seconds a website user is likely to click again or leave. The default setting of 60 seconds is therefore very high and serves as a starting point for your tuning effort. The best practice to right-size this setting is to enable Log Slow Pages in the debugging and logging section. Follow up by investigating all requests/pages running longer than 60 seconds in server.log. Refactor these pages and test.

Per App Settings

This setting can be useful if we want to allow developers to override some of the global settings declared in the ColdFusion Administrator. This is useful for installations where more than one site is bound to an instance of ColdFusion. Settings that can be overridden in your code include mappings, custom tag paths, and session/client timeouts. This setting is enabled by default.

Use UUID for cftoken

Using a UUID for cftoken is a recommended security best practice if you are not using J2EE session management. It enforces a highly unique identifier per user with a significantly greater complexity than the standard numeric values for the client and session cftoken. The default is checked.

Tip: There are significant advantages to using J2EE session management over ColdFusion management of sessions. These are covered in more details in the Client Variables section of this guide.

Tip: Be sure to review our ColdFusion security recommendations to help secure your server.

Enable HTTP status codes

Having ColdFusion return known HTTP error status codes is helpful to search engines, proxies, and other automated systems that interact with your application. When a page is missing, this will cause ColdFusion to return a status code 404, which is universally recognized to mean “Page Not Found”. Similarly, when an error is thrown in ColdFusion, a status code of 500 will be returned. We recommend this setting be enabled in your production environment only. The default is checked.

Enable Whitespace Management

This setting reduces the file size of the pages that ColdFusion returns to the browser by removing many of the extra spaces, tabs, and carriage returns that ColdFusion might otherwise persist from the CFML source file. This results in a smaller payload delivered to the browser for each page. If you are experiencing issues with broken JavaScript or CSS, it may be worth disabling this setting. Make sure your settings across your development, staging, and production environments are consistent so issues are not discovered in production. The default is checked.

Disable CFC Type Check

When arguments are passed to a component method or user-defined function, ColdFusion will perform a validation to ensure that values of the right type are passed. If you pass an array as an argument that expects a string, ColdFusion will throw an error. Validation like this is helpful during development, but it comes at a slight performance cost. We recommend running with this setting enabled in your development and staging/test environments at a minimum. You may realize a performance benefit in production by disabling CFC Type Checking, however, it is typically negligible. The default is unchecked.

Disable access to internal ColdFusion Java components

This setting restricts access to Java objects that provide core services for ColdFusion. As these can change with different versions of ColdFusion we recommend this setting be enabled (checked). This prevents an unauthenticated CFML template from reading or modifying administration and configuration information for this server. The default is unchecked.

Preserve case for Struct keys for Serialization

By default, ColdFusion will force the keys of structures to uppercase, losing the original casing of the data. This side effect can hamper your ability to manipulate structures if the case of your keys has meaning. By enabling this setting, ColdFusion will maintain the defined case of keys in your structure. Our recommendation is to enable this setting, with the caveat that it may break existing code adapted to operate on all uppercase keys. The default is unchecked.

 Prefix serialized JSON with

Addressing another security-related issue, this setting protects web services which return JSON data from cross-site scripting attacks by prefixing serialized JSON strings with a custom prefix. We recommend that this setting is enabled. The default is unchecked.

Maximum Output Buffer size

This is a potential performance-related setting. Any requests larger than what is specified in this setting will be automatically flushed to the client. Individual application code should be tested to ensure the accuracy of this setting. The default is 1024KB.

In Memory File System

The Virtual File System is a great feature in ColdFusion that few know about or use. It enables a memory-resident file system that can be used similarly to a standard disk-based system. Because operations are handled in memory, it is much faster than disk. There are many valid use cases for it, including dynamically creating and manipulating images, generating CFM files at runtime and executing them, and report generation.  Here is a list of file systems which can be used with this feature. Be careful though. You are bound by the amount of memory allocated to ColdFusion. This is not a system for general storage of bulk files and is not persistent between server restarts. It is also possible to introduce performance issues as the number of operations conducted on the files increases. This feature is enabled by default.

Memory Limit for In-Memory Virtual File System

This setting specifies a memory limit for the Virtual File System. The proper value for this setting will depend on your application and hardware. Application testing is required to arrive at an optimal value. The default is 100MB.

Memory Limit per Application for In-Memory Virtual File System

This setting provides a more granular control of memory allocation for the Virtual File System between multiple ColdFusion applications running on your server. When you multiple the number of applications on your server by the setting here, it should total the total amount allocated in the Memory Limit for In-Memory Virtual File System (MB) setting If we have five Applications on the ColdFusion server, a setting or 20 would be appropriate; 5 x 20 = 100. We should adjust this as needed, determined by testing the application code. The default is 20MB.

Check configuration files for changes every

This setting is specific to Websphere installations. You may need to enable this setting within that environment. See the description of this setting for more info. The default is unchecked.

Enable Global Script Protection

This is another very important security-related setting. Enabling this feature helps to combat cross-site-scripting attacks. However, it is not a silver bullet. There are edge cases which may bypass this filter. Proper defense against cross-site-scripting attacks starts with the code. Enable this setting within your production environment only after fully testing its impact on your test environment first. One other important point of note: if you are using third-party applications or tags, ongoing testing, particularly before deployment, is very important.

There are also several third-party tools available to help guard against attacks. Our favorite is the ColdFusion specific FuseGuard, and is well worth the license fee.

Allow Extra Attributes in AttributeCollection

This setting allows ColdFusion tags to accept additional attributes not explicitly defined for that tag. The default is enabled.

 Disable creation of unnamed applications

We recommend enabling this setting. When an application is unnamed, the application scope corresponds to the ColdFusion JavaEE servlet context. This can cause unpredictable behavior within your application. Application scope variables can become shared or overwritten between seemingly unrelated applications running on the same server. The default is unchecked.

Allow adding application variables to Servlet Context

This setting relates to the previous one. Unless your application must interact directly with JavaEE JSPs and/or Servlets this should be disabled. The default is disabled.

Clear temporary files created during CFaaS after

This setting manages how often temporary files are purged after they are created by the ColdFusion-As-A-Service tags (cfpop, cfimage, cfdocument, cfmail, cfpop, and cfchart). The proper value for this setting will depend largely on performance. Purge too often and you may incur a performance penalty. Purge too infrequently on a high traffic server and you could risk running out of disk space. This setting is dependent on the needs of your individual application and CFaaS deployments.

ORM search directory.

We recommend setting this value within your code as opposed to the Administrator. This is a slightly more secure approach and lends more flexibility to your applications. For security reasons, this path should not be accessible from the webroot. The default is blank.

Default ScriptSrc Directory

This directory contains files used to generate <cfform> elements. For security reasons, we recommend adjusting this to a path other than the default. Specify the path relative to the web root for the directory containing the cfform.js file.

Google Map API Key

Specify Google Map API license key if you use Google Maps in your application(s).

Component with onServerStar

This setting allows you to specify a cfc containing an onServerStart() method. This method will be executed upon server startup. This can be useful for running tasks required after a server has been rebooted.

The server scope should be used with caution. This is a global scope and is accessible across all ColdFusion applications running on the server. In this regard, it is an insecure scope choice for sensitive data. The default is unchecked.

Allowed file extensions for CFInclude tag

By default, ColdFusion will allow any file type in a <cfinclude> tag. It is our recommendation to explicitly define they file types required for the functionality of your application (typically cfm and cfml). It is possible that changing this setting could break pre-existing or third-party code. Testing your code prior to deployment is advised.  The default is a wildcard (*).

Application.cfc/Application.cfm lookup order

One little-known fact about ColdFusion is that the default order used to hunt for the Application file can lead to a search beyond the webroot. This can inadvertently introduce security and performance issues if this aspect of the server is misunderstood. Our recommendation is to select Until webroot which keeps the search limited more logically. The default setting is Default order.

Error Handlers

Error handlers

It is important to have efficient and effective global error handling defined for your ColdFusion applications.  Without these handlers in place, ColdFusion can expose system or file details to end users which is a security vulnerability. This section allows the specification of system-wide error handling templates that will trigger in the event of a 404 or 500 error.

Any error handling should be as simple and lightweight as possible. It should inform the user of an issue and log any pertinent details. Any calls to third party services, such as <cfmail>, should be wrapped in a try/catch block.

Tip: You can override these settings with custom error handlers in your code using <cferror>.

The default setting is no specified error handling templates.

Request Size Limits

Request Size Limits

ColdFusion makes it possible to define some boundaries around what an acceptable request looks like. If your forms don’t take any more than 10 parameters, it would be wise to establish that limit here. The same also applies to the total payload size and memory required for processing. Smart application of these settings can limit the impact of a Denial-of-Service attack or reconnaissance probing.