Downloads

Download Security Header Templates for ColdFusion (CSP HSTS)

by Aaron Longnion
7 min read

This downloadable pack gives you production‑ready HTTP Security header templates tailored for ColdFusion. You’ll get a drop‑in CFML module for setting Content-Security-Policy (CSP), HTTP Strict Transport Security (HSTS), and related headers, plus ready-to-use server Configuration snippets (IIS/Apache/Nginx), and a practical guide to rollout with Zero downtime. The templates help you harden apps, reduce XSS and clickjacking risks, and meet Compliance requirements without having to research every directive and edge case.

Contents show

What You’ll Get

  • CFML templates:
    • Application.cfc header module: injects CSP, HSTS, Referrer-Policy, Permissions-Policy, X-Content-Type-Options, X-Frame-Options, and more using cfheader.
    • Nonce generator utility for safe inline scripts and styles.
    • Report-Only toggle and environment-aware Configuration (Dev/Staging/Prod).
  • Web server snippets:
    • IIS web.config examples for custom headers.
    • Apache httpd.conf/.htaccess Header directives.
    • Nginx add_header rules with examples for CSP and HSTS.
  • Example policy presets:
    • Strict, Moderate, and Compatibility CSP presets.
    • HSTS presets: standard and preload-ready.
  • Integration examples:
    • Adobe ColdFusion 2018/2021/2023 and Lucee 5.3+.
    • Reverse proxy/CDN notes (Cloudflare, Azure Front Door, AWS ALB).
  • Quick-reference PDF (12–16 pages):
    • Header cheat sheet with tested values.
    • Rollout checklists, testing tools, and Troubleshooting guide.
  • Sample CSP violation logger:
    • Endpoint that accepts application/csp-report and logs JSON payloads.
  • Optional cookie hardening helpers:
    • this.sessionCookie and cfscript examples for Secure, HttpOnly, SameSite.

Overview

The pack is a ready-to-implement set of ColdFusion Security headers that protects against common web threats and helps you standardize HTTP response headers across apps. It includes a composable CSP policy with nonce support, HSTS with preload guidance, and safety headers like X-Frame-Options: DENY and X-Content-Type-Options: nosniff. You can deploy at the application layer (cfheader in Application.cfc), the web server (IIS/Apache/Nginx), or both for layered defense.

See also  Download Nginx Reverse Proxy Config for ColdFusion

Benefits and Use Cases

  • Faster hardening: start with vetted defaults; adjust allowlists instead of writing policies from scratch.
  • Reduced XSS risk: nonce-based CSP blocks unauthorized scripts by default.
  • Safer framing and embedding: enforce frame-ancestors and X-Frame-Options to stop clickjacking.
  • Consistent TLS usage: HSTS makes HTTPS mandatory and supports the HSTS preload list.
  • Compliance-ready: aligns with common controls in PCI-DSS, ISO 27001, OWASP ASVS, and SOC 2.
  • Works across environments: different Report-Only/enforce modes per environment.
  • Ideal for:
    • New ColdFusion apps needing a secure baseline.
    • Legacy apps migrating to CSP Report-Only first, then enforcement.
    • Teams consolidating header management across multiple servers.

Supported Environments

  • ColdFusion engines:
    • Adobe ColdFusion 2018, 2021, 2023.
    • Lucee 5.3+.
  • Web servers and proxies:
    • Microsoft IIS 10+, Apache 2.4+, Nginx 1.18+.
    • Works behind CDNs and reverse proxies; includes overwrite/append guidance.
  • TLS:
    • HSTS requires valid HTTPS on the apex domain and all subdomains if using includeSubDomains.

What’s Inside the Templates

  • Core headers and example values:
    • Content-Security-Policy (CSP): default-src ‘self’; object-src ‘none’; base-uri ‘self’; frame-ancestors ‘none’; form-action ‘self’; script-src ‘self’ ‘nonce-{{nonce}}’ cdn.example.com; style-src ‘self’ ‘nonce-{{nonce}}’; img-src ‘self’ data:; connect-src ‘self’ api.example.com; upgrade-insecure-requests
    • Strict-Transport-Security (HSTS): max-age=31536000; includeSubDomains; preload
    • Referrer-Policy: strict-origin-when-cross-origin
    • Permissions-Policy: geolocation=(), camera=(), microphone=()
    • X-Content-Type-Options: nosniff
    • X-Frame-Options: DENY
    • Cross-Origin-Opener-Policy: same-origin
    • Cross-Origin-Resource-Policy: same-origin
    • Cross-Origin-Embedder-Policy: require-corp (optional; enable only if you need isolation)
  • Report-Only variants:
    • Content-Security-Policy-Report-Only
    • Report-To and/or report-uri configuration notes

Note: Some legacy headers (e.g., X-XSS-Protection) are deprecated; the guide explains why they’re omitted by default.

How to Install

Step 1: Download and extract

  1. Download the ZIP file (Security headers for ColdFusion – CSP + HSTS).
  2. Extract into your project, e.g., /security/headers/.

Step 2: Wire into Application.cfc

  1. Open your Application.cfc.
  2. In onRequestStart or onRequest, include the header module:
    • Using cfinclude:
    • Or in cfscript call: applySecurityHeaders()
  3. Ensure the include runs before any output (headers must be sent before body content).

Step 3: Generate a CSP nonce per request

  • Add early in onRequestStart:
    • cfscript example:
      • sr = createObject(“java”,”java.security.SecureRandom”);
      • bytes = createObject(“java”,”byte[]”).init(16);
      • sr.nextBytes(bytes);
      • request.cspNonce = binaryEncode(bytes, “base64”);
  • Use the nonce in your templates:
    • Add ‘nonce-#request.cspNonce#’ to script-src and style-src in the CSP header builder provided.

Step 4: Choose a CSP preset

  • Start with Moderate preset (compatible with most apps).
  • Add your domains to allowlists (e.g., cdn.example.com for scripts).
  • Keep object-src ‘none’ and frame-ancestors ‘none’ unless you must embed/host external frames.
See also  Download ColdFusion Health Check & Status Endpoint Example

Step 5: Enable Report-Only first

  • Set the module to emit Content-Security-Policy-Report-Only.
  • Configure report-uri or Report-To endpoint; include the sample /security/csp-report.cfm to log reports.
  • Monitor violations for 1–2 weeks and refine allowlists.

Step 6: Enforce CSP

  • Switch from Report-Only to Content-Security-Policy once noise is low.
  • Remove temporary ‘unsafe-inline’ or ‘unsafe-eval’ if present; prefer nonces or hashes.

Step 7: Configure HSTS safely

  • Confirm your entire site (and subdomains, if using includeSubDomains) works over HTTPS.
  • Start with: Strict-Transport-Security: max-age=31536000; includeSubDomains
  • After 2–4 weeks without issues, consider adding preload and submit to hstspreload.org (optional).

Step 8: Harden cookies (optional)

  • In Application.cfc:
    • this.sessionCookie.secure = true
    • this.sessionCookie.httpOnly = true
    • this.sessionCookie.sameSite = “Lax” // or “Strict” for highly sensitive apps
  • For custom cookies, set Secure, HttpOnly, and SameSite attributes consistently.

Step 9: Avoid duplicates at the server layer

  • If you also add headers in IIS/Apache/Nginx, disable duplicates in one layer.
  • The guide includes “single source of truth” patterns to prevent conflicting values.

Configuration Examples

CFML (cfscript) header builder snippet

  • In applySecurityHeaders.cfm(c):
    • var csp = [
      “default-src ‘self'”,
      “base-uri ‘self'”,
      “object-src ‘none'”,
      “frame-ancestors ‘none'”,
      “form-action ‘self'”,
      “script-src ‘self’ ‘nonce-#request.cspNonce#’ cdn.example.com”,
      “style-src ‘self’ ‘nonce-#request.cspNonce#'”,
      “img-src ‘self’ data:”,
      “connect-src ‘self’ api.example.com”,
      “upgrade-insecure-requests”
      ].toList(“; “);
    • cfheader(name=”Content-Security-Policy”, value=csp)
    • cfheader(name=”Strict-Transport-Security”, value=”max-age=31536000; includeSubDomains”)
    • cfheader(name=”Referrer-Policy”, value=”strict-origin-when-cross-origin”)
    • cfheader(name=”Permissions-Policy”, value=”geolocation=(), camera=(), microphone=()”)
    • cfheader(name=”X-Content-Type-Options”, value=”nosniff”)
    • cfheader(name=”X-Frame-Options”, value=”DENY”)
    • cfheader(name=”Cross-Origin-Opener-Policy”, value=”same-origin”)
    • cfheader(name=”Cross-Origin-Resource-Policy”, value=”same-origin”)

IIS (web.config) example

  • Add under system.webServer/httpProtocol/customHeaders:
    • Add CSP only if you’re not setting it in CFML to avoid duplicates.

Apache example

  • In vhost or .htaccess:
    • Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
    • Header set Referrer-Policy “strict-origin-when-cross-origin”
    • Header set X-Content-Type-Options “nosniff”

Nginx example

  • Inside server {}:
    • add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
    • add_header Referrer-Policy “strict-origin-when-cross-origin” always;

Best practices

  • Prefer nonces or hashes over ‘unsafe-inline’ and ‘unsafe-eval’.
  • Keep object-src ‘none’; avoid plugins and legacy embeds.
  • Use frame-ancestors instead of only X-Frame-Options for modern coverage; keep X-Frame-Options for legacy clients.
  • Roll out CSP with Report-Only, then enforce; do not jump directly to enforcement on complex apps.
  • Treat HSTS preload with caution: ensure all subdomains are HTTPS or you may brick access.
  • Validate headers in staging and production using:
    • curl -I https://yourdomain
    • browser devtools > Network headers
    • scanners like securityheaders.com and Mozilla Observatory
  • Document your domain allowlists; review periodically to remove unused CDNs or APIs.
  • When behind a CDN, check if it overwrites headers; ensure pass-through or configure there.
See also  Download the ColdFusion Performance Tuning Guide (PDF)

Common pitfalls to Avoid

  • Sending headers after output has started; always set early in the request.
  • Duplicating CSP at both CFML and web server levels with different values.
  • Keeping CSP in Report-Only indefinitely; set a date to enforce.
  • Enabling HSTS before confirming HTTPS for all paths and subdomains.
  • Allowing wildcard sources in CSP (e.g., *.example.com) when a narrower list is possible.

SEO Notes and Secondary Keywords

  • This pack implements robust HTTP security headers for CFML, including Content-Security-Policy, HTTP Strict Transport Security, X-Frame-Options, Referrer-Policy, Permissions-Policy, and X-Content-Type-Options.
  • It integrates easily with Application.cfc and cfheader, works with IIS, Apache, Nginx, and supports reverse proxies.
  • Includes guidance for CSP Report-Only, HSTS preload, and SameSite cookies.

Key Takeaways

  • You get a complete, tested ColdFusion CSP + HSTS implementation with nonce support and rollout guidance.
  • Start in Report-Only, tune allowlists, then move to enforcement with confidence.
  • Use HSTS once HTTPS is fully validated; consider preload only when ready.
  • Avoid header duplication across application and server layers; choose a single source of truth.
  • Included snippets and presets save hours of research and reduce misconfiguration risk.

FAQ

How do I flip from Report-Only to enforcing CSP?

Change the header name from Content-Security-Policy-Report-Only to Content-Security-Policy in the provided module. Keep the same policy value, then monitor your logs for residual violations.

Can I use the templates with Lucee as well as Adobe ColdFusion?

Yes. The cfheader approach and nonce generation work on Lucee 5.3+ and Adobe ColdFusion 2018/2021/2023. Minor Syntax differences are covered in the guide notes.

Should I enable HSTS preload right away?

No. First run HSTS with includeSubDomains for a few weeks. Verify that all subdomains and HTTP endpoints redirect correctly. Only then consider adding preload and submitting to the preload list.

What if I need inline scripts or styles?

Use nonces. The pack includes a secure nonce generator and examples to add nonce attributes to script/style tags and the CSP policy (script-src/style-src). Avoid ‘unsafe-inline’ in production.

Where should I set the headers—ColdFusion or the web server?

Either is fine, but choose one as the primary source to avoid duplicates. Many teams set CSP in ColdFusion (because it can inject dynamic nonces) and set static headers like HSTS and Referrer-Policy at the web server.

About the author

Aaron Longnion

Aaron Longnion

Hey there! I'm Aaron Longnion — an Internet technologist, web software engineer, and ColdFusion expert with more than 24 years of experience. Over the years, I've had the privilege of working with some of the most exciting and fast-growing companies out there, including lynda.com, HomeAway, landsofamerica.com (CoStar Group), and Adobe.com.

I'm a full-stack developer at heart, but what really drives me is designing and building internet architectures that are highly scalable, cost-effective, and fault-tolerant — solutions built to handle rapid growth and stay ahead of the curve.

View all posts

You may also like