Ask or search…

What's New With 3.0.0

January 2023
v3.x Release


  • Dropped Adobe ColdFusion 2016
  • New JwtAuthValidator instead of mixing concerns with the JwtService. You will have to update your configuration to use this validator instead of the JwtService
  • All settings have changed. They are not single-level anymore. They are now grouped by functionality. Please see the Configuration area for the new approach.


  • New ability for the firewall to log all action events to a database table.
  • If enabled, a new visualizer can visualize all settings and firewall events via the log table.
  • New Basic Auth validator and basic auth user credentials storage system. This will allow you to secure apps where no database interaction is needed or required.
  • New global and rule action: block and the firewall will block the request with a 401 Unauthorized page.
  • New event cbSecurity_onFirewallBlock announced whenever the firewall blocks a request into the system with a 403.
  • DBTokenStorage now rotates using the async scheduler and not direct usage anymore.
  • Ability to set the cbcsrf module settings into the cbsecurity settings as csrf.
  • We now default the user service class and the auth token rotation events according to the user authentication service (cbauth, etc.); no need to duplicate work.
  • New rule-based IP security. You can add a allowedIPs key into any rule and add which IP Addresses are allowed into the match. By default, it matches all IPs.
  • New rule-based HTTP method security. You can add a httpMethods key into any rule and add which HTTP methods are allowed into the match. By default, it matches all HTTP Verbs.
  • New securityHeaders configuration to allow a developer to protect their apps from common exploits: XSS, HSTS, Content Type Options, host header validation, IP validation, clickjacking, non-SSL redirection, and much more.
  • The security firewall now stores the authenticated user according to the prcUserVariable on authenticated calls via preProcess() no matter the validator used
  • Dynamic Custom Claims: You can pass a function/closure as the value for a custom claim, and it will be evaluated at runtime, passing in the current claims before being encoded
  • Allow passing in custom refresh token claims to attempt() and fromUser() and refreshToken() : refreshCustomClaims
  • Added TokenInvalidException and TokenExpiredException to the refreshToken endpoint


  • Disable lastAccessTimeouts for JWT CacheTokenStorage BOX-128
  • Fix spelling of property datasource on queryExecute that was causing a read issue.