Protect your admin interface.

Just a quickie today.

Many websites require an admin interface to handle the public facing areas of  the site. While these can and should be protected with -strong- passwords, as a web developer we always want to provide an attacker with the smallest possible “attack surface”. What an attacker can’t access, they can’t hack*.

You can make a simple change to the application.cfm/cfc file of your admin interface to provide a greater level of security.

<cfswitch expression="#cgi.REMOTE_ADDR#">
<cfcase value="123.45.67.89">

— all your application.cfm code —

</cfcase>

<cfdefaultcase>

<cflocation url=”yourpublicfacingpage.cfm” addtoken=”no”>

</cfdefaultcase>

</cfswitch>

This limits access to your admin site to a single IP address. You could hard code this if it’s your site or you could make it a variable and read  from an ini file where a client sets the value.

If you want to allow access from multiple IPs just create a list

<cfcase value=”123.45.67.89, 123.45.65.90” delimiters=”,”>

To use this in application.cfc, just add the code to onRequestStart

* It’s important to note that this is -not- foolproof since cgi variables -can- be spoofed. There is some debate on whether remote_addr can be spoofed but since security best practice -always- assumes the worst, make sure you’ve got a nice, strong password to protect your admin interface.

Extra tip:

Use a strong -Username- as well as a strong password. It’s an awful lot harder to brute force attack a website with a username that won’t likley be found in a dictionary or by social engineering/target research

If your name is  Frank make your username Fr4an8k . This way an attacker has to figure our what the Uname is before even starting on the pwd. Most will simply move on. (and never, ever use a username such as “admin”)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: