This section controls several important aspects of the server related to performance and error handling. This is one of the most important pages in the ColdFusion Administrator, as settings here affect the overall behavior of your server. Any updates to settings on this page should be reasoned through and methodically tested before implementing in a production environment.
Server Settings > Settings
Addressing another security-related issue, this setting protects web services which return JSON data from cross-site scripting attacks by prefixing serialized JSON strings with a custom prefix. We recommend that this setting is enabled. The default is unchecked.
This is a potential performance-related setting. Any requests larger than what is specified in this setting will be automatically flushed to the client. Individual application code should be tested to ensure the accuracy of this setting. The default is 1024KB.
The Virtual File System is a great feature in ColdFusion that few know about or use. It enables a memory-resident file system that can be used similarly to a standard disk-based system. Because operations are handled in memory, it is much faster than disk. There are many valid use cases for it, including dynamically creating and manipulating images, generating CFM files at runtime and executing them, and report generation. Here is a list of file systems which can be used with this feature. Be careful though. You are bound by the amount of memory allocated to ColdFusion. This is not a system for general storage of bulk files and is not persistent between server restarts. It is also possible to introduce performance issues as the number of operations conducted on the files increases. This feature is enabled by default.
This setting specifies a memory limit for the Virtual File System. The proper value for this setting will depend on your application and hardware. Application testing is required to arrive at an optimal value. The default is 100MB.
This setting provides a more granular control of memory allocation for the Virtual File System between multiple ColdFusion applications running on your server. When you multiple the number of applications on your server by the setting here, it should total the total amount allocated in the Memory Limit for In-Memory Virtual File System (MB) setting If we have five Applications on the ColdFusion server, a setting or 20 would be appropriate; 5 x 20 = 100. We should adjust this as needed, determined by testing the application code. The default is 20MB.
This setting is specific to Websphere installations. You may need to enable this setting within that environment. See the description of this setting for more info. The default is unchecked.
This is another very important security-related setting. Enabling this feature helps to combat cross-site-scripting attacks. However, it is not a silver bullet. There are edge cases which may bypass this filter. Proper defense against cross-site-scripting attacks starts with the code. Enable this setting within your production environment only after fully testing its impact on your test environment first. One other important point of note: if you are using third-party applications or tags, ongoing testing, particularly before deployment, is very important.
There are also several third-party tools available to help guard against attacks. Our favorite is the ColdFusion specific FuseGuard, and is well worth the license fee.
This setting allows ColdFusion tags to accept additional attributes not explicitly defined for that tag. The default is enabled.
We recommend enabling this setting. When an application is unnamed, the application scope corresponds to the ColdFusion JavaEE servlet context. This can cause unpredictable behavior within your application. Application scope variables can become shared or overwritten between seemingly unrelated applications running on the same server. The default is unchecked.
This setting relates to the previous one. Unless your application must interact directly with JavaEE JSPs and/or Servlets this should be disabled. The default is disabled.
This setting manages how often temporary files are purged after they are created by the ColdFusion-As-A-Service tags ( cfpop, cfimage, cfdocument, cfmail, cfpop, and cfchart). The proper value for this setting will depend largely on performance. Purge too often and you may incur a performance penalty. Purge too infrequently on a high traffic server and you could risk running out of disk space. This setting is dependent on the needs of your individual application and CFaaS deployments.
We recommend setting this value within your code as opposed to the Administrator. This is a slightly more secure approach and lends more flexibility to your applications. For security reasons, this path should not be accessible from the webroot. The default is blank.
This directory contains files used to generate <cfform> elements. For security reasons, we recommend adjusting this to a path other than the default. Specify the path relative to the web root for the directory containing the cfform.js file.
Specify Google Map API license key if you use Google Maps in your application(s).
This setting allows you to specify a cfc containing an onServerStart() method. This method will be executed upon server startup. This can be useful for running tasks required after a server has been rebooted.
The server scope should be used with caution. This is a global scope and is accessible across all ColdFusion applications running on the server. In this regard, it is an insecure scope choice for sensitive data. The default is unchecked.
By default, ColdFusion will allow any file type in a <cfinclude> tag. It is our recommendation to explicitly define they file types required for the functionality of your application (typically cfm and cfml). It is possible that changing this setting could break pre-existing or third-party code. Testing your code prior to deployment is advised. The default is a wildcard ( *).
One little-known fact about ColdFusion is that the default order used to hunt for the Application file can lead to a search beyond the webroot. This can inadvertently introduce security and performance issues if this aspect of the server is misunderstood. Our recommendation is to select Until webroot which keeps the search limited more logically. The default setting is Default order.
It is important to have efficient and effective global error handling defined for your ColdFusion applications. Without these handlers in place, ColdFusion can expose system or file details to end users which is a security vulnerability. This section allows the specification of system-wide error handling templates that will trigger in the event of a 404 or 500 error.
Any error handling should be as simple and lightweight as possible. It should inform the user of an issue and log any pertinent details. Any calls to third party services, such as <cfmail>, should be wrapped in a try/catch block.
Tip: You can override these settings with custom error handlers in your code using <cferror>.
The default setting is no specified error handling templates.
Request Size Limits
ColdFusion makes it possible to define some boundaries around what an acceptable request looks like. If your forms don’t take any more than 10 parameters, it would be wise to establish that limit here. The same also applies to the total payload size and memory required for processing. Smart application of these settings can limit the impact of a Denial-of-Service attack or reconnaissance probing.