# Server Profiles CommandBox has profiles you can assign to a server when you start it to configure the default settings. This is to provide easy secure-by-default setups for your production servers, and to make it easier to switch between a development mode and production mode. There are 3 currently supported profiles. Custom profiles will be added as a future feature. * **Production** - Locked down for production hosting * **Development** - Lax security for local development * **None** - For backwards compat and custom setups. Doesn't apply any web server rules ## Setting the profile You can set the profile for your server in your `server.json` ```bash server set profile=production ``` Which create this property ```javascript { "profile": "production" } ``` Or you can specify it when starting the server like so: ```bash server start profile=production ``` {% hint style="info" %} For [Multi-Site](/embedded-server/multi-site-support.md), server profile can be configured on a per-site basis in the `sites` object of the `server.json` or in a `.site.json` file. {% endhint %} ### Default Profile If a profile is not set, these rules are used to choose the default value: * If there is an env var called `environment`, it is used to set the default profile (same convention as ColdBox MVC) * If the site is bound on `localhost`, default the profile to "**development**". Localhost is defined as any IP address starting with `127.` * If neither of the above are true, the default profile is "**production**". This makes CommandBox servers secure by default. ## **Production** profile When profile is set to "**production**", the following defaults are provided: * `web.directoryBrowsing` = false * `web.blockCFAdmin` = external * `web.blockSensitivePaths` = true * `web.blockFlashRemoting` = true ## Development profile When profile is set to "**development**", the following defaults are provided: * `web.directoryBrowsing`= true * `web.blockCFAdmin` = false * `web.blockSensitivePaths` = true * `web.blockFlashRemoting` = true ## None profile When profile is set to "**none**", the following defaults are provided: * `web.directoryBrowsing`= false * `web.blockCFAdmin` = false * `web.blockSensitivePaths` = false * `web.blockFlashRemoting` = false ## Customizing your profile The defaults above only apply if you do not have am explicit `server.json` or `server.defaults` config setting. If you have an explicit setting, it will override the profile's default. Therefore, if you set the `profile` to`production` but set `web.blockCFAdmin` to `false`, your CF administrator will be public, but the remaining production defaults will still be applied. This allows even the default profiles to be customizable. ```javascript { "profile": "production", "web": { "blockCFAdmin": false } } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/server-profiles.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.