The ColdFusion Security Guide

This guide is a collection of articles on various web application vulnerabilities and how they can be addressed in a CFML code base.

ColdFusion Developer Security Training Online Class

ColdFusion Developer Security Guide TOC

This ColdFusion Security Guide is a work in progress, look for more guides to be added over time, and improvements to be made to each guide as well.

ColdFusion Administrators Security Guide

The ColdFusion Administrator's Security Guide is written by Foundeo's Pete Freitag, and is called the Adobe ColdFusion Lockdown Guide. The latest lockdown guide avaliable is the Adobe ColdFusion 2023 Lockdown Guide which covers the ColdFusion 2023 release. Beyond the lockdown guide we provide a video training series called: Locking Down ColdFusion 2023.

Locking Down ColdFusion 2023 Video

ColdFusion Lockdown Guides

Adobe has removed links to older versions of the lockdown guide. These versions of ColdFusion are no longer supported and are considered EOL (End of Life). The unsupported versions of Adobe ColdFusion may contain security vulnerabilities, so attempting to lock them down may be fruitless. A better solution is the upgrade to a supported version of ColdFusion. I've placed links to the archived versions of these older guides for reference purposes only.

ColdFusion EOL Dates

Version End of Core Support End of Extended Support
ColdFusion 2023 EOL 2028-05-16 2029-05-16
ColdFusion 2021 EOL 2025-11-10 2026-11-10
ColdFusion 2018 EOL 2023-07-13 2024-07-13
ColdFusion 2016 EOL 2021-02-17 2022-02-17

The end of core support date typically marks the cut off for security updates. While history has shown that Adobe may go a month or two beyond this date if there is a serious enough issue. When the core support period ends, and the extended support period begins Adobe typically does not provide security updates or security patches. From our understanding the "extended" support typically involves providing assistance to help you upgrade to a supported version.