Add default server rules/predicates in CommandBox for default lockdown

Description

Start of list taken from here: https://www.ortussolutions.com/blog/commandbox-web-server-lockdown-example

Make sure rules to disable admin access are only applied to servers that are running that CF engine.

  • Deny TRACE/TRACK HTTP Verb

  • Deny Administrative Access /(CFIDE/administrator|CFIDE/adminapi|CFIDE/AIR|CFIDE/appdeployment|CFIDE/cfclient|CFIDE/classes|CFIDE/componentutils|CFIDE/debug|CFIDE/images|CFIDE/orm|CFIDE/portlets|CFIDE/scheduler|CFIDE/ServerManager|CFIDE/services|CFIDE/websocket|CFIDE/wizards|lucee/admin)/.*

  • Deny "hidden" files (starting with a dot)

  • Deny common config files
    .*/(box.json|server.json|web.config|urlrewrite.xml|package.json|package-lock.json|Gulpfile.js|CFIDE/multiservermonitor-access-policy.xml|CFIDE/probe.cfm)

There should be a way to completely disable all of the rules above so a user can supply their own manual lockdown.

There should also be a “Development Mode” that loosens or removes the restrictions. I’m inclined to have “Development Mode” be a separate, top level setting in CommandBox that does more than just affecting the default lock down rules (such as toggling settings like directory browsing, CFConfig admin password, error templates, debugging, etc)



Assignee

Brad Wood

Reporter

Brad Wood

Labels

None

Affects versions

None

Fix versions

Priority

Major
Configure