# Server Profiles

CommandBox has profiles you can assign to a server when you start it to configure the default settings. This is to provide easy secure-by-default setups for your production servers, and to make it easier to switch between a development mode and production mode.

There are 3 currently supported profiles. Custom profiles will be added as a future feature.

* **Production** - Locked down for production hosting
* **Development** - Lax security for local development
* **None** - For backwards compat and custom setups. Doesn't apply any web server rules

## Setting the profile

You can set the profile for your server in your `server.json`

```bash
server set profile=production
```

Which create this property

```javascript
{
  "profile": "production"
}
```

Or you can specify it when starting the server like so:

```bash
server start profile=production
```

{% hint style="info" %}
For [Multi-Site](https://commandbox.ortusbooks.com/6.0.0-1/embedded-server/multi-site-support), server profile can be configured on a per-site basis in the `sites` object of the `server.json` or in a `.site.json` file.
{% endhint %}

### Default Profile

If a profile is not set, these rules are used to choose the default value:

* If there is an env var called `environment`, it is used to set the default profile (same convention as ColdBox MVC)
* If the site is bound on `localhost`, default the profile to "**development**".  Localhost is defined as any IP address starting with `127.`
* If neither of the above are true, the default profile is "**production**".  This makes CommandBox servers secure by default.

## **Production** profile

When profile is set to "**production**", the following defaults are provided:

* `web.directoryBrowsing` = false
* `web.blockCFAdmin` = external
* `web.blockSensitivePaths` = true
* `web.blockFlashRemoting` = true

## Development profile

When profile is set to "**development**", the following defaults are provided:

* `web.directoryBrowsing`= true
* `web.blockCFAdmin` = false
* `web.blockSensitivePaths` = true
* `web.blockFlashRemoting` = true

## None profile

When profile is set to "**none**", the following defaults are provided:

* `web.directoryBrowsing`= false
* `web.blockCFAdmin` = false
* `web.blockSensitivePaths` = false
* `web.blockFlashRemoting` = false

## Customizing your profile

The defaults above only apply if you do not have am explicit `server.json` or `server.defaults` config setting. If you have an explicit setting, it will override the profile's default. Therefore, if you set the `profile` to`production` but set `web.blockCFAdmin` to `false`, your CF administrator will be public, but the remaining production defaults will still be applied. This allows even the default profiles to be customizable.

```javascript
{
  "profile": "production",
  "web": {
    "blockCFAdmin": false
  }
}
```