Ask or search…


Welcome to the ColdBox Security, the best way to secure your ColdBox apps.
The Best Way To Secure Your Applications
The ColdBox cbsecurity module is a collection of modules to help secure your ColdBox applications.
Security Visualizer
The major areas of concern are:
  • A security authentication/authorization firewall ( cbsecurity ) which can secure your application based on:
    • Security rules and a rule engine for validation of incoming events or URL patterns
    • Handler annotations
  • Security service for explicit authorizations ( cbsecurity ) to provide you with functional approaches to security context authorization in any layer of your application.
  • A JWT generator, decoder, and authentication services ( jwtcfml )
  • Cross-Site Request Forgery (CSRF) Protection ( cbcsrf )
  • An authentication manager ( cbauth ) which can be plug-and-play with your own or third-party modules
  • Basic Authentication services that provide basic user credential storage and browser challenges
  • A graphical user interface for visualizing the firewall and operational settings we lovingly call the CBSecurity Visualizer
  • Industry-standard response headers to protect against XSS, clickjacking, frame busting, and much more
  • Generate secure and random passwords

Module composition

CBSecurity consumes several other modules and leverages cbstorages for storage.


  • Ability to have global security rules
  • The ability for modules to add their own security rules and action overrides
  • Ability to distinguish between authentication and authorization issues
  • Annotation-driven cascading security for handlers and actions
  • A functional security service that can be injected anywhere to provide you with authorizations
  • Security rules can exist in:
    • XML File
    • JSON File
    • Database
    • Models
  • The rules can be configured to use regular expressions or simple snippets
  • You can use ColdFusion authentication security
  • Can leverage any custom authentication provider
  • Plug any Authentication service or can leverage cbauth by default
  • Ability to distinguish between invalid authentication and authorization and determine the process's outcome.
  • Ability to load/unload security rules from contributing modules.
  • The ability for each module to define its own validator
  • JWT Access and Refresh Tokens Native support


The ColdBox Security Module is maintained under the Semantic Versioning guidelines as much as possible. Releases will be numbered in the following format:
And constructed with the following guidelines:
  • Breaking backward compatibility bumps the major (and resets the minor and patch)
  • New additions without breaking backward compatibility bumps the minor (and resets the patch)
  • Bug fixes and misc changes bumps the patch


Professional Open Source

Ortus Solutions, Corp
The ColdBox Security Module is a professional open-source software backed by Ortus Solutions, Corp offering services like:
  • Custom Development
  • Professional Support & Mentoring
  • Training
  • Server Tuning
  • Security Hardening
  • Code Reviews
  • Much More

Discussion & Help

The Box products and modules community for discussion and help can be found here:


Because of His grace, this project exists. If you don't like this, then don't read it; it's not for you.
"Therefore being justified by faith, we have peace with God through our Lord Jesus Christ: By whom also we have access by faith into this grace wherein we stand, and rejoice in hope of the glory of God." Romans 5:5
Last modified 1yr ago