Just a quickie today.
Many websites require an admin interface to handle the public facing areas of the site. While these can and should be protected with -strong- passwords, as a web developer we always want to provide an attacker with the smallest possible “attack surface”. What an attacker can’t access, they can’t hack*.
You can make a simple change to the application.cfm/cfc file of your admin interface to provide a greater level of security.
<cfswitch expression="#cgi.REMOTE_ADDR#">
<cfcase value="123.45.67.89">
– all your application.cfm code –
</cfcase>
<cfdefaultcase>
<cflocation url=”yourpublicfacingpage.cfm” addtoken=”no”>
</cfdefaultcase>
</cfswitch>
This limits access to your admin site to a single IP address. You could hard code this if it’s your site or you could make it a variable and read from an ini file where a client sets the value.
If you want to allow access from multiple IPs just create a list
<cfcase value=”123.45.67.89, 123.45.65.90” delimiters=”,”>
To use this in application.cfc, just add the code to onRequestStart
* It’s important to note that this is -not- foolproof since cgi variables -can- be spoofed. There is some debate on whether remote_addr can be spoofed but since security best practice -always- assumes the worst, make sure you’ve got a nice, strong password to protect your admin interface.
Extra tip:
Use a strong -Username- as well as a strong password. It’s an awful lot harder to brute force attack a website with a username that won’t likley be found in a dictionary or by social engineering/target research
If your name is Frank make your username Fr4an8k . This way an attacker has to figure our what the Uname is before even starting on the pwd. Most will simply move on. (and never, ever use a username such as “admin”)
