CommandBox has profiles you can assign to a server when you start it to configure the default settings. This is to provide easy secure-by-default setups for your production servers, and to make it easier to switch between a development mode and production mode.
There are 3 currently supported profiles. Custom profiles will be added as a future feature.
Production - Locked down for production hosting
Development - Lax security for local development
None - For backwards compat and custom setups. Doesn't apply any web server rules
You can set the profile for your server in your server.json
Which create this property
Or you can specify it when starting the server like so:
For Multi-Site, server profile can be configured on a per-site basis in the sites
object of the server.json
or in a .site.json
file.
If a profile is not set, these rules are used to choose the default value:
If there is an env var called environment
, it is used to set the default profile (same convention as ColdBox MVC)
If the site is bound on localhost
, default the profile to "development". Localhost is defined as any IP address starting with 127.
If neither of the above are true, the default profile is "production". This makes CommandBox servers secure by default.
When profile is set to "production", the following defaults are provided:
web.directoryBrowsing
= false
web.blockCFAdmin
= external
web.blockSensitivePaths
= true
web.blockFlashRemoting
= true
When profile is set to "development", the following defaults are provided:
web.directoryBrowsing
= true
web.blockCFAdmin
= false
web.blockSensitivePaths
= true
web.blockFlashRemoting
= true
When profile is set to "none", the following defaults are provided:
web.directoryBrowsing
= false
web.blockCFAdmin
= false
web.blockSensitivePaths
= false
web.blockFlashRemoting
= false
The defaults above only apply if you do not have am explicit server.json
or server.defaults
config setting. If you have an explicit setting, it will override the profile's default. Therefore, if you set the profile
toproduction
but set web.blockCFAdmin
to false
, your CF administrator will be public, but the remaining production defaults will still be applied. This allows even the default profiles to be customizable.