How to Encrypt or Compile ColdFusion Files

From Wiki
Jump to: navigation, search

If you wish to obscure your ColdFusion source code before deploying it to Hostek, you have a couple options: cfcompile.bat and cfencode.exe. In order to use either of these options, you must first download and install a copy of ColdFusion to your local computer. To obtain a free developer-edition of Coldfusion, follow the link at Adobe's ColdFusion Support Center.

Using cfcompile.bat

The cfcompile.bat utility will compile all .cfm and .cfc files within a given directory into Java bytecode. This has the effect of making your source code unreadable, and it also prevents ColdFusion from having to compile your ColdFusion files on first use which provides a small performance enhancement.

Cfcompile uses the following syntax:

  • Example:
    c:\ColdFusion11\cfusion\bin\cfcompile.bat -deploy HOSTEKWEBROOT SOURCE COMPILED

(If your site and local installation use ColdFusion 10, be sure to update the path to cfcompile.bat accordingly.)

In the above example, make the following changes:

  • HOSTEKWEBROOT should be the path to your site's wwwroot folder at Hostek.
    • Eg: d:\home\\wwwroot
  • SOURCE should be the path to the un-compiled ColdFusion site files on your computer.
    • Eg: c:\SOURCE
  • COMPILED should be where cfcompile.bat will save the compiled ColdFusion files.
    • Eg: c:\COMPILED

Once cfcompile.bat has finished executing, you can copy the contents of your COMPILED directory to your site's Web root at Hostek (through FTP). Once the compiled files have been uploaded, ColdFusion will begin using them immediately.

More details about using cfcompile.bat can be found in ColdFusion's Documentation.

Using cfencode.exe

The cfencode.exe utility will apply basic encryption to a specific file or directory. If used to encrypt a directory, it will apply encryption to ALL files in the directory which can break any JS, CSS, images, or other non-ColdFusion files. As such, use the following directions to encrypt ONLY your .cfm and .cfc files:

  1. Use robocopy to copy only your site's .cfm and .cfc files to a temporary working directory. If you do not have robocopy, it can be easily installed as part of the Windows Server Resource Kit.
    • Example:
      C:\Program Files (x86)\Windows Resource Kits\Tools\robocopy.exe c:\SOURCE c:\ENCODED *.cfm *.cfc /E
      (Where SOURCE is the location of your unmodified site files, and ENCODED is your temporary working directory)
  2. Run cfencode.exe against the files in your temporary working directory
    • Example:
      c:\ColdFusion11\cfusion\bin\cfencode.exe c:\ENCODED /r /v 2
      (Where ENCODED is the path to your temporary working directory from the previous step)
  3. At this point, you can copy the contents of c:\ENCODED to your site at Hostek (through FTP), and the server will begin using the encrypted versions of your .cfm and .cfc files immediately.

Note: Encrypting your site files with cfencode does not guarantee absolute security of your source code, but it does add a layer of obfuscation to help prevent unauthorized individuals from viewing the source.