Start of list taken from here: https://www.ortussolutions.com/blog/commandbox-web-server-lockdown-example

Make sure rules to disable admin access are only applied to servers that are running that CF engine.

• Deny TRACE/TRACK HTTP Verb

• Deny Administrative Access /(CFIDE/administrator|CFIDE/adminapi|CFIDE/AIR|CFIDE/appdeployment|CFIDE/cfclient|CFIDE/classes|CFIDE/componentutils|CFIDE/debug|CFIDE/images|CFIDE/orm|CFIDE/portlets|CFIDE/scheduler|CFIDE/ServerManager|CFIDE/services|CFIDE/websocket|CFIDE/wizards|lucee/admin)/.*

• Deny "hidden" files (starting with a dot)

• Deny common config files
  .*/(box.json|server.json|web.config|urlrewrite.xml|package.json|package-lock.json|Gulpfile.js|CFIDE/multiservermonitor-access-policy.xml|CFIDE/probe.cfm)

There should be a way to completely disable all of the rules above so a user can supply their own manual lockdown.

There should also be a “Development Mode” that loosens or removes the restrictions. I’m inclined to have “Development Mode” be a separate, top level setting in CommandBox that does more than just affecting the default lock down rules (such as toggling settings like directory browsing, CFConfig admin password, error templates, debugging, etc)