ColdFusion Article

How to select a ColdFusion hosting provider

With so many ColdFusion hosting providers out there today, how do you know which one is right for you? By using the criteria in this article, you will be able to ask the right questions of a potential ColdFusion hosting provider about security, feature sets, resources, support, and pricing offered (or not offered).

Considering price

Typically, the current rates (as of time of writing) are in the range of $2.95 USD up to $200 USD per month for the more feature-rich ColdFusion hosting plans. Not all ColdFusion hosting plans are created equal, however, and the cost varies based on non-ColdFusion features like number of e-mail accounts provided, allocated disk space, or type of operating system the server may run. Be wary of less expensive plans—they can often indicate that the provider is running an older version of ColdFusion or that the service provider has only installed the ColdFusion Professional Edition, which has less features than the ColdFusion Enterprise Edition. The Enterprise edition can host shared or multi-homed servers and has numerous security features, while the Professional edition cannot host shared or multi-homed servers and does not offer Sandbox Security. The average price of a ColdFusion Enterprise Edition hosting plan is approximately $30-50 USD.

Security

Security in relation to ColdFusion isn't something you can expect by default when selecting a provider. Ask your ISP's sales representative based on the questions and content in this section. Their answers will help paint a picture of the security levels in place for this the prospective service provider.

Will you be hosted on a server running ColdFusion Enterprise Edition?

As I mentioned earlier, it is preferable to host your ColdFusion content on a machine running ColdFusion Enterprise Edition. This version of ColdFusion is the only version that allows you to use the Sandbox Security features in ColdFusion. On a shared server, you don't have control or knowledge of the code being run by other customers sharing your server. Without Sandbox Security enabled, other account holders on the server could upload malicious ColdFusion code, causing all sorts of problems. One common exploit is to use the CFDIRECTORY and CFFILE tags to gain access to any and every file on the server including the ones in your directory. Sandbox Security can prevent such activity by preventing users from seeing beyond their own web directory on the shared server.

Which ColdFusion tags and functions have been restricted or disabled?

ColdFusion has several tags that should be disabled in a shared hosting environment. Below is a short list of the tags that should be disabled before opening an account at prospective hosting company.

CFEXECUTE: Used to execute programs on the server through the command line. On a windows server with ColdFusion running in its default configuration, it is possible to write a script using CFEXECUTE to create a new Administrator account on the server. Clearly you don't want to be a hosted on a machine with such a vulnerability.

CFFILE and CFDIRECTORY: These two tags when running in a Sandbox don't have to be disabled as long as each ColdFusion site on the server is its own Sandbox. Once a server is sandboxed, ColdFusion Server does not permit any attempt to view or manipulate files or directories beyond the sandbox.

CFREGISTRY:There is no good reason to have this tag enabled in shared environments. If your project requires CFREGISTRY, your project might not be appropriate for a shared environment to begin with.

CreateObject: This function should be disabled as it can be used create Java and COM objects that can compromise the server's security. New in ColdFusion MX 7 is the ability to specify the types of objects to disallow with the choices being COM, CORBA, JAVA, and WEBSERVICE. The COM, CORBA, and JAVA variants of the CreateObject function should be disabled, thus leaving room for CFC and web services as required.

Is JSP functionality disabled?

JavaServer Pages (JSP) functionality is included with ColdFusion by taking advantage of the J2EE application server running behind the scenes. On a dedicated server this is a great feature to have, but on a shared machine, ColdFusion's Sandbox Security does not restrict access to functionality exposed by JSP.

Is the default custom tag folder disabled?

If the answer is “yes” then great; if not, you have a security risk. The custom tag folder is not limited through Sandbox Security and users could circumvent existing sandbox policies.

Is debugging enabled?

On a production sever you generally don't want robust debugging information divulged to a user who receives an error on screen (either by accident or on purpose). This can reveal sensitive portions of your source code such as SQL statements.

Is RDS (Remote Development Services) disabled?

On a production server, disable RDS.

Is access to the ColdFusion administrator secured?

The CFIDE directory and Administrator API should never be available to the various users on a shared server.

What account is ColdFusion running under?

This is only really an issue when the ISP runs ColdFusion on a windows machine. By default, the installer runs ColdFusion as the System account, which can grant privileges far beyond what would be desirable on a shared server. When ColdFusion is installed on Linux, the user is prompted to assign a user for ColdFusion to run as.

Other Security Considerations

While the aforementioned security points relate to ColdFusion, it's not uncommon for hosting plans to include other technologies such as PHP, ASP, and so forth. Please be aware that these may introduce security concerns that are beyond the scope of this article.

Functionality

Ensure that the ColdFusion features and capabilities that are present in your site and application are available from the prospective hosting provider. Examples of functionality you might ask about are:

• Are custom tags allowed?
• Do you have Flash Remoting, if so which version? (If you have a Flex application that uses Flash Remoting, you need ColdFusion MX 7.02 or greater.)
• Again, you may also require ColdFusion MX 7 if you want to use the CFDOCUMENT tag or Flash Forms among other new features added since previous versions of ColdFusion.
• Some hosting companies use third-party ColdFusion compatible servers such as Blue Dragon. Such products don't necessarily support all of ColdFusion's functionality. Make sure the provider is clear about the version of ColdFusion they are using.
• What policies are in place regarding upgrading ColdFusion to newer versions as they become available? Depending on your outlook, you may either want to be on the cutting edge and be able to take advantage of new ColdFusion features as soon as they become available in a new version, or you may prefer to take a wait-and-see approach, to ensure future releases won't negatively affect your site / application.
• What operating system (OS) is the server running? ColdFusion is mostly agnostic about which OS it runs on, although there are a couple caveats that can cause incompatibilities with your code. For example if you use a COM object in your application, it won't work on non-Windows operating systems.

Support

Ask up front what type of support will be available to you in the event something goes wrong on the server or if you need to request addition features such as a DSN mappings, custom tags, schedules, indexes and so forth. Some companies will provide a self-help method through customer control panels where this is an automated request. Others have you create a support ticket and wait your turn for an administrator to handle your request. It's always a good idea to ask who's behind the scenes managing the ColdFusion server you will be hosted on. Ensure that the hosting company has staff that is knowledgeable about ColdFusion administration beyond clicking the installer. Sadly, the later is more common then you might think.

Resources

Keep in mind that when you are on a shared server, typically, you are not just sharing disk space with other sites. You are also competing for the systems resources, such as processing, RAM availability, and bandwidth. Find out what type hardware you will be hosted on and get specific numbers about the CPU, RAM, and hard drive configuration. Find out what the quota for the server you will be in terms of other accounts—overcrowding on your server isn't going to help you much.

Where to go from here

If you already have a project or projects on a shared ColdFusion server, now is a good time to check whether the security is up to your standards. If you are looking to find a new provider the best place to start looking is the Blogosphere and find folks who blog about ColdFusion. Ask the community where they choose to host their applications.

About the author