http://coldfusion.com logo
Title
a

aliaspooryorik

05/25/2023, 11:10 AM
Does anyone explicitly block requests with CFID or CFTOKEN in the url params?
We don't pass them in the URL but someone could attempt to add them so as they are not expected maybe that request should be blocked
r

Rodney

05/25/2023, 12:02 PM
We use IIS so we'd just use an IIS rewrite rule to remove them or use request filtering to reject the request.
a

aliaspooryorik

05/25/2023, 12:04 PM
I've done it with Fuseguard as that is already in use and gives us some metrics which may be interesting. I might move to web server level if we find we have a lot to take the load off the CFML server.