Start of list taken from here: https://www.ortussolutions.com/blog/commandbox-web-server-lockdown-example
Make sure rules to disable admin access are only applied to servers that are running that CF engine.
Deny TRACE/TRACK HTTP Verb
Deny Administrative Access /(CFIDE/administrator|CFIDE/adminapi|CFIDE/AIR|CFIDE/appdeployment|CFIDE/cfclient|CFIDE/classes|CFIDE/componentutils|CFIDE/debug|CFIDE/images|CFIDE/orm|CFIDE/portlets|CFIDE/scheduler|CFIDE/ServerManager|CFIDE/services|CFIDE/websocket|CFIDE/wizards|lucee/admin)/.*
Deny "hidden" files (starting with a dot)
Deny common config files
There should be a way to completely disable all of the rules above so a user can supply their own manual lockdown.
There should also be a “Development Mode” that loosens or removes the restrictions. I’m inclined to have “Development Mode” be a separate, top level setting in CommandBox that does more than just affecting the default lock down rules (such as toggling settings like directory browsing, CFConfig admin password, error templates, debugging, etc)