Whatever message this page gives is out now! Go check it out!
| JVM argument | Default | Description |
|---|---|---|
| -Dcoldfusion.attachment.allowblockedextensions | False | Controls whether ColdFusion permits attachments with file extensions that are blocked by default for security reasons. When set to false (default), blocked file types cannot be attached. Setting the flag to true allows these file types to be attached, which may be required for specific trusted use cases but can increase security risk. |
| -Dcoldfusion.xml.saxon.allowEnvironmentVariable | False | Controls whether ColdFusion permits the environment-variable() function in XSLT stylesheets processed by XMLSearch and XMLTransform. When set to false (default), this function is blocked, preventing stylesheets from reading environment variables from the host system. Set to true only if your deployment explicitly requires this capability. |
| -Dcoldfusion.xml.saxon.allowResultDocument | False | Controls whether ColdFusion permits the use of xsl:result-document in XSLT stylesheets processed by XMLSearch and XMLTransform. When set to false (default), xsl:result-document is blocked, preventing stylesheets from writing output to arbitrary file paths on the server. Set to true only if your deployment explicitly requires this capability. |
| -Dcoldfusion.xml.saxon.allowUnparsedText | False | Controls whether ColdFusion permits the unparsed-text() function family in XSLT stylesheets processed by XMLSearch and XMLTransform. When set to false (default), these functions are blocked, preventing stylesheets from reading arbitrary files from the server file system. Set to true only if your deployment explicitly requires this capability. |
| -Dcoldfusion.xml.saxon.allowDocFunction | False | Controls whether ColdFusion permits the doc(), doc-available(), and document() functions in XSLT stylesheets processed by XMLSearch and XMLTransform. When set to false (default), these functions are blocked, preventing stylesheets from loading external or server-side XML documents. Set to true only if your deployment explicitly requires this capability. |
| JVM argument | Default | Description |
|---|---|---|
| -Dcoldfusion.async.emptyfuture.blocking | True | Controls how ColdFusion handles get() calls on incomplete empty futures created by runAsync() (i.e., promises with no associated task body that have not yet been completed). When true (default), ColdFusion follows the JVM’s CompletableFuture semantics:
When false, ColdFusion emulates the legacy (pre‑CompletableFuture) behavior:
|
| -Dcoldfusion.allow.restricted.exception.types | False | Controls whether ColdFusion allows system-reserved exception types to be used in user-thrown exceptions via cfthrow (tag) and throw() (cfscript). By default, ColdFusion restricts the type attribute for user-thrown exceptions to custom/application types, and reserves certain types for the engine itself, such as:
When coldfusion.allow.restricted.exception.types=true:
|
| -Dcoldfusion.qoq.enforceOldBehaviour | False | A compatibility flag for Query of Queries GROUP BY processing. When enabled, ColdFusion uses legacy GROUP BY behavior to help preserve compatibility with older applications. When disabled, ColdFusion uses the newer default behavior associated with Query of Queries performance improvements. |
| -Dcoldfusion.qoq.parallel | True | A performance flag that enables or disables parallel processing for Query of Queries. Enabled by default, it allows ColdFusion to use parallelized internal execution for supported in-memory Query of Queries operations. Disabling the flag restores the older non-parallel behavior. |
| -Dcoldfusion.qoq.parallel.threshold | 10000 | A tuning flag that controls when Query of Queries parallelization is applied. The default value is 10000, meaning the parallel path is used only when the in-memory result set exceeds 10,000 rows. |
| -Dcoldfusion.mongodb.returnIdAsString | True | Controls how ColdFusion exposes MongoDB _id values. When set to true (the default), _id is returned as a plain string for backward compatibility, so CF string functions, cfdump, URLs, and session storage work naturally by applications across requests safely. When false, _id is returned as a CFMongoObjectID wrapper, and hex strings in query filters are auto-converted to BSON ObjectId—this is required when working with external clients (Python, Node.js, mongosh) that insert native ObjectIds, since MongoDB is type-strict and queries with mismatched types silently return empty results. |
| JVM argument | Default | Description |
|---|---|---|
| -Dcoldfusion.administrator.inputlengthfilter.maxlength | Increases the maximum size (in characters) allowed for input values processed by the ColdFusion Administrator and Admin API. By default, requests containing input fields larger than the configured limit are rejected with an input validation error. Setting this value to 65536 allows ColdFusion Administrator/API operations, such as importing or processing large SAML XML documents, to accept inputs up to 65,536 characters. |
JVM argument | Default | Description |
-Dcoldfusion.websocket.selector.validation | True | Enables WebSocket selector security validation (default True). Set to false to disable deny list validation for selector expressions. It makes sure selector expressions does not have dangerous coldfusion commands in them. By default, selector expressions should use only logical operations. |
-Dcoldfusion.deserialization.safeguard.enabled | True | Enables ColdFusion’s deserialization safeguard, which applies a default‑deny policy to Java deserialization: only classes required by ColdFusion and those explicitly allow‑listed in serialfilter.txt are permitted; all others are blocked and logged. Set this flag to false to temporarily revert to the previous behavior. |
-Dcoldfusion.pdf.ddx.allowExternalEntities | False | Controls whether the XML parser used by the cfpdf tag with action="processddx" is allowed to resolve external XML entities defined in DDX (Document Description XML) files.
|
-Dcoldfusion.datasource.allowed.properties | None | By default, all connection strings are blocked. To allow a connection string in the datasource, use the flag. The values for the flag can be as follows:
|
JVM argument | Default | Description |
-Dcoldfusion.xml.allowExternalEntities | False | This flag controls whether external entities are allowed when parsing XML. By default, the flag is set to false to disable external entity resolution , preventing potential XML External Entity (XXE) vulnerabilities such as file disclosure or denial-of-service attacks. Setting this flag to false (the default) enhances security and prevents blind XXE attacks that could otherwise be exploited to read sensitive files from the file system. If your applications rely on parsing XML with external entities enabled (not recommended), you must explicitly set the flag to true, but this may introduce security risks. |
JVM argument | Default | Description |
-Dcoldfusion.runtime.remotemethod.matchArguments | True | The flag is set to true by default, which enforces strict argument matching. If a remote method expects certain parameters, those arguments must be explicitly declared using the cfargument tag or defined directly in the function signature. For example, if a remote function is defined to accept two arguments, it must only receive those two. Passing more than the declared number (for example, 10) will result in an error. This change ensures stricter method integrity and a better debugging experience. This behavior change applies only to remote CFC methods. |
-Dcoldfusion.systemprobe.allowexecution | False | By default, this flag is set to false for security reasons. The flag prevents the execution of a System Probe during a failure. To enable this functionality, set its value to true. |
JVM argument | Default | Description |
-Dcoldfusion.pdfg.connectionTimeout | The value is in milliseconds. This is the timeout value that will be set for PDF conversion. If a conversion takes longer than the mentioned value, it will be timed out, and an exception will be thrown. |
JVM argument | Default | Description If true, the flag prevents ColdFusion from dynamically compiling CFML code into Java bytecode at runtime. |
-Dcoldfusion.datasource.blocked.properties | None | The connection strings mentioned are allowed if a new database is added. To block their usage in the database, remove them from the property. The strings are:
Note: This flag WILL NOT work after Update 5 of ColdFusion 2025. |
-Dcoldfusion.compiler.block.bytecode | True | If true, the flag prevents ColdFusion from executing pre-compiled CFML code (Java bytecode) at runtime. |
JVM argument | Default | Description |
-Dcoldfusion.encryption.useCFMX_COMPATAsDefault | True | This property is removed. |
-Dcoldfusion.searchimplicitscopes | True | The flag allows you to enable or disable searching for an un-scoped variable in implicit scopes. The flag controls how ColdFusion searches for variables across implicit scopes, such as variables, arguments, form, URL, and others, when no explicit scope is defined in the code. For proper security enforcement, the recommended value of this flag is false. When the flag is set to false, ColdFusion does not automatically search implicit scopes. The flag was introduced to support customer transition and is scheduled for removal once these transition efforts reach maturity. While no specific timeline has been set for its removal, customers are advised to discontinue use of this flag. |
-Dcfdocument.metahttpequivrefresh.localfile | True | Impacts how the <cfdocument> tag handles the meta refresh directive when generating PDFs from local files. |
-Djdk.lang.Process.allowAmbiguousCommands | False | Related to how Java allows ambiguous command-line parsing on Windows. |
-Dcoldfusion.sessioncookie.httponly | False | Determines if session cookies must be restricted from client-side JavaScript access. |
-Dcoldfusion.xml.allowPathCharacters | True | Controls whether XML parsing allows file paths (such as slashes /, backslashes \, or colons :) in in element names, attributes, or values. |
-Duser.timezone=<timezone>. If you want UTC timezone, use -Duser.timezone=GMT | Sets the time zone of the ColdFusion host. | |
-Dfile.encoding | UTF-8 | Sets the encoding of ColdFusion files, eg, .cfc or .cfm. |
-Dcoldfusion.monitoring.id.reset | True | Controls whether monitoring ID used by ColdFusion’s Performance Monitoring Toolset (PMT) must be reset when the server starts. |
-Dcoldfusion.number.allowdotsuffix | False | If set to false, an operand that has a trailing dot, is evaluated as a string. |
-Djdk.tls.client.protocols | TLSv1.2,TLSv1.3 | Specifies the TLS protocols that is used by TLS/SSL clients when establishing secure connections. |
-Dhttps.protocols | TLSv1.2,TLSv1.3 | Specifies the TLS protocols that is used by HTTPS connections in ColdFusion. |
-Dcoldfusion.sftp.enable-ssh-rsa | False | Set the flag to True to enable the ssh-rsa algorithm. |
-Dcoldfusion.sftp.fingerprint | SHA256 | Set the flag to md5, for example, to enforce SFTP connections using the md5 algorithm. |
-Dcoldfusion.application.orderby.caseinsensitive | True | Determines if string columns are being ordered by the Order By clause like traditional databases. |
-Dcoldfusion.jdbc.mysql.datetime.str | True | If set to True, converts MySQL datetime objects to strings. |
-Dcoldfusion.jdbc.mssql.multi_resultset.supported | True | Controls the resultset parsing behavior for ResultSets. |
-Dorg.osgi.framework.bootdelegation | com.singularity.* | Enables scheduled tasks to run in a Docker image. |
-Dcoldfusion.orderedstruct.size | 32 | Sets the size of ordered structs. |
-Dcoldfusion.http.usepooling | True | Controls whether HTTP connections should be pooled and reused when making outbound HTTP requests from ColdFusion. |