About sandbox security

Last update:

May 18, 2026

Note:

Sandbox security is deprecated in ColdFusion (2025 release). See Deprecated features in ColdFusion for more information.

ColdFusion provides two levels of resource-based security:

ColdFusion Standard refers to its sandbox security as resource security. It lets you specify a single set of limitations on access to ColdFusion resources that apply to all ColdFusion applications.
ColdFusion Enterprise refers to its sandbox security as sandbox security. Sandbox security is a superset of resource security. Sandbox security lets you create multiple sandboxes, each** corresponding to a different directory. For each sandbox, you specify a set of resource limitations that apply to all ColdFusion pages in the sandbox directory and its subdirectories. If you create a sandbox that is a subdirectory of a sandbox, the subdirectory's rules override the parent directory's rules. The ColdFusion Administrator Resource Security page (in Standard) and Sandbox Security page (in Enterprise) let you enable resource-based security. In ColdFusion Standard, the page lets you configure the resource settings that apply to all your ColdFusion applications. In ColdFusion Enterprise, the page lets you create sandboxes and configure the resource limitations for each sandbox individually.

Resource control

ColdFusion lets you control access to the following resources:

Resource

Description

Data sources

Enables access to specified data sources.

CF tags

Prevents pages from using CFML tags that access external resources. You can prevent pages in the directory from using any or all of the following tags:cfcollection, cfcontent, cfcookie, cfdirectory, cfdocument, cfexecute, cffile, cfftp, cfgridupdate, cfhttp, cfhttpparam, cfindex, cfinsert, cfinvoke, cfldap, cflog, cfmail, cfobject, cfobjectcache, cfpop, cfquery, cfregistry, cfreport, cfschedule, cfsearch, cfstoredproc, cftransaction, cfupdate

CF functions

Prevents pages from using CFML functions that access external resources. You can prevent pages from using any or all of the following functions:CreateObject (COM, Java, Web Service),{{}}DirectoryExists. ExpandPath, FileExists, GetBaseTemplatePath, GetDirectoryFromPath, GetFileFromPath, GetGatewayHelper, GetProfileString, GetTempDirectory, GetTempFile, GetTemplatePath, SendGatewayMessage, SetProfileString

Files/directories

Sets read, write, execute, and delete access to specified directories, directory trees, or files.

Server/ports

Controls access from ColdFusion to IP addresses and port numbers. You can specify host names or numeric addresses, and you can specify individual ports and port ranges.

Note:

For more information on configuring resource and sandbox security, see Configuring and Administering ColdFusion and the ColdFusion Administrator online Help.

Sandbox security

In ColdFusion Enterprise, sandbox security lets you apply different sets of rules to different directory structures. Use it to partition a shared hosting environment so that a number of applications with different purposes, and possibly different owners, run securely on a single server. When multiple applications share a host, you set up a separate directory structure for each application, and apply rules that let each application access only its own data sources and files. Sandbox security also lets you structure and partition an application to reflect the access rights that are appropriate to different functional components. For example, if your application has both employee inquiry functions and HR functions that include creating, accessing, and modifying sensitive data, you could structure the application as follows:

HR pages go in one directory with access rules that enable most activities.
Employee pages go in another directory whose rules limit the files they modify and the tags they use.
Pages required for both HR and employee functions go in a third directory with appropriate access rules.

Was this page helpful?

We're glad. Tell us how this page helped.

Found the answer to my problem Understood the instructions Liked the feature

Other suggestions

We're sorry. Can you tell us what didn't work for you?

Didn't find the answer to my problem Couldn't understand the instructions Didn't like the feature

Other suggestions

Thank you for your feedback. Your response will help improve this page.

Was this helpful?

We are sorry the content didn't meet your needs.

Share additional feedback to help us improve.

0/255 | Character limit exceeded.

Thank you so much for sharing your feedback!

About sandbox security

Resource control

Sandbox security

On this page