[Blog Post] CommandBox Web Server Lockdown Examples

Read the full post here:


This is really helpful so thank you!

My first post here! Great job this community site @bdw429s !

I have a question: Are there any pre-built lockdown urlRewrite rules for Apache2 and IIS when fronting coldbox/contentbox documented somewhere? I’m doing some tests on Tomcat/Lucee and static files like server.json or box.json are being served directly. Just asking before building it myself. Thanks!!!

@Andreas Not that I know of. You can reverse engineer the rules CommandBox uses which are documented here:


1 Like

That should do the job for apache2 mod_rewrite. Translated these from brads blog post. Posting it here for posterity and others:

#Block requests to possible static sensitive files 
RewriteCond %{REQUEST_URI} .*/(box\.json|server\.json|web\.config|urlrewrite\.xml|package\.json|package-lock\.json|Gulpfile\.js|CFIDE/multiservermonitor-access-policy\.xml|CFIDE/probe\.cfm)$ [NC] 
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.*)$ - [L,R=404]
1 Like