ColdFusion Administrator has a number of features, such as Advanced Security, built in to protect the development or hosting environment on the server. But what about your code? Here are a few handy things to keep in mind as you write to protect the integrity of your applications.
Do Not Use Hidden Fields to Pass Sensitive Information
You might be thinking, "Duhsomeone can do a view source in the browser and read the information." I'm not talking about people reading information that you do not want them to read (that should be obvious). I am talking about allowing them to modify your data.
Let's say that you have a shopping cart that passes information about the products that your user is purchasing, including the prices, passing in hidden form fields. If I view the source of this page and save it as an .htm file to my desktop, I can then edit the file. Once I have changed the prices to whatever I want, I can then pass the form to an absolute URL (instead of the relative URL specified in the form action attribute), and I can continue to check out normally.
This is not specifically a ColdFusion issue because you might use hidden form fields in this way on an ASP, CGI, or any other kind of site. I'm not saying that don't use hidden fields. I'm saying that you should be careful what you pass in them.
Use Code for Security Contexts
It's a better idea to write your authentication frameworks into your code. If you overuse the CF administrator's security contexts, you can get into porting hassles if you ever want to move your application. Avoid proliferating <cfauthenticate> tags.