Adding a Twitter Feed To Your Site

With CF8 and the cffeed it’s easy to add a feed of your tweets to your site. I’ve found this is a really good way of getting followers on Twitter. I’ve used cfpod and cffeed below

I like to style my cfpod’s but IE (at least to IE7 and as per usual)  has “issues” so i just do a browser sniff and use a couple of variables to make the pod look the same in all browsers

<CFIF FindNoCase("msie", CGI.HTTP_USER_AGENT, "1")>
 <CFSET podstyle = "color:##000000;text-align:center">
 <CFSET podHT = "75">
 <CFSET podstyle = "color:##FFFFCC;background-color:##6699CC;text-align:center">
 <CFSET podHT = "65">
 <cfpod headerStyle="#podStyle#"   name="twitpod" height="#podHT#" width="290" title="Me On Twitter - Latest">
 <div style="font-weight:normal;">
 <cfset feedurl=" -@yourTwitterName" />
 <cffeed source="#feedurl#" properties="feedmeta" query="feeditems" />
 <cfoutput query="feeditems" maxrows="1">
 <span style="font-size:.7em;margin-top:-5px;">
 #dateformat(listfirst(feeditems.publisheddate,"T"), "mm/dd/yy :hh:mm")#
 <span style="font-size:.8em;">
 #REReplaceNoCase(feeditems.Content, "<[^>]*>", "", "All")#<br>
 <a href = "" style="text-decoration:underline;" target="_blank">Subscribe To My Twitter Feed</a>

My twitter account is a corporate presence so I don’t want other people’s tweets showing on my site.  If you were just to set your feed url to

you would get all hits for yourTwitterName, even those posts from others who are @replying to you.  This might not be an issue for some I want to make sure only -my- tweets show up in the feed. Just add


to the search.atom criteria and this will exclude any @yourTwitterName search results

One other thing you may notice is that I’ve added a html stripping rereplace funciton.

#REReplaceNoCase(feeditems.Content, “<[^>]*>”, “”, “All”)#

This is a good idea for feeds and any source for which you have no control over. I don’t want visitors to my site to have any issues with potential attacks propagated through Twitter (or any other service). We’ve already seen a couple of Twitter “worms” and I don’t need a potential XSS vulnerability introduced on my site. (paranoid..yes but that’s a -good- thing)


Protect your admin interface.

Just a quickie today.

Many websites require an admin interface to handle the public facing areas of  the site. While these can and should be protected with -strong- passwords, as a web developer we always want to provide an attacker with the smallest possible “attack surface”. What an attacker can’t access, they can’t hack*.

You can make a simple change to the application.cfm/cfc file of your admin interface to provide a greater level of security.

<cfswitch expression="#cgi.REMOTE_ADDR#">
<cfcase value="">

— all your application.cfm code —



<cflocation url=”yourpublicfacingpage.cfm” addtoken=”no”>



This limits access to your admin site to a single IP address. You could hard code this if it’s your site or you could make it a variable and read  from an ini file where a client sets the value.

If you want to allow access from multiple IPs just create a list

<cfcase value=”,” delimiters=”,”>

To use this in application.cfc, just add the code to onRequestStart

* It’s important to note that this is -not- foolproof since cgi variables -can- be spoofed. There is some debate on whether remote_addr can be spoofed but since security best practice -always- assumes the worst, make sure you’ve got a nice, strong password to protect your admin interface.

Extra tip:

Use a strong -Username- as well as a strong password. It’s an awful lot harder to brute force attack a website with a username that won’t likley be found in a dictionary or by social engineering/target research

If your name is  Frank make your username Fr4an8k . This way an attacker has to figure our what the Uname is before even starting on the pwd. Most will simply move on. (and never, ever use a username such as “admin”)