In this section you will find the release notes for each version we release under this major version. If you are looking for the release notes of previous major versions use the version switcher at the top left of this documentation book. Here is a breakdown of our major version releases.

Version 3.0

Version 3 is a major rewrite of this module. It drops Adobe 2016 support and enhances the way the firewall is configured. It also add major capabilities for security headers, csrf settings and much more.

It also introduces the ability for the firewall to do 401 response blocks as actions for security rules. The CBSecurity visualizer is also a major addition that allows a developer or manager to visualize the performance of the firewall and visualize all the configurations necessary for operation.

Finally, we have introduced basic authentication for your applications with an optional user credential in-memory storage.

Version 2.0

Version 2 is a major release of our security module. We completely refactored the engine to make it more modern and to adhere to our new coding standards. We then proceeded to enhance it to tap into our HMVC approach and allow rules to be contributed from modules themselves. We also added annotation driven security to complete the ability to secure not only incoming requests by rules but also by easy annotations.

We have made great strides in this release to make it a one-stop-shop for security concerns within ColdBox applications.

Version 1.0

Our first release as a module decoupled from the ColdBox 2 days!

CBSecurity is a comprehensive security framework for ColdBox applications, providing enterprise-grade authentication, authorization, and protection mechanisms. It combines multiple security modules into a cohesive, easy-to-use security platform that helps developers build secure applications with minimal effort.

🎯 Core Security Capabilities

CBSecurity provides a multi-layered security approach with the following key capabilities:

🔐 Authentication & Authorization

• Security Firewall - Rule-based request protection using security rules engine and handler annotations

• Authentication Manager (cbauth) - Pluggable authentication system compatible with any authentication provider

• Basic Authentication - Built-in HTTP Basic Auth support with credential storage and browser challenge handling

🎫 Token Management

• JWT Services (jwtcfml) - Complete JSON Web Token implementation with generation, decoding, and validation

• Access & Refresh Tokens - Native support for JWT-based authentication flows

• Token Storage - Flexible token storage with multiple backend options

🛡️ Security Protections

• CSRF Protection (cbcsrf) - Cross-Site Request Forgery protection for form submissions

• Security Headers - Industry-standard HTTP response headers (CSP, HSTS, X-Frame-Options, XSS Protection)

• Password Generator - Cryptographically secure random password generation

📊 Management & Monitoring

• Security Visualizer - Graphical interface for monitoring firewall activity and managing security configurations

• Rule Engine - Flexible security rules supporting XML, JSON, database, and model-based configurations

• Module Integration - Allows modules to contribute their own security rules and validation logic

🧩 Module Composition

CBSecurity is built on a modular architecture that integrates several specialized security modules:

The framework leverages cbstorages for flexible storage backends and seamlessly integrates with the ColdBox ecosystem to provide comprehensive security coverage across your entire application.

⭐ Key Features

📋 Flexible Security Rules

• Multiple Storage Options - Define rules in XML, JSON, databases, or ColdBox models

• Regular Expression Support - Use regex patterns or simple string matching for rule definitions

• Modular Rules - Modules can contribute their own security rules with custom validation logic

• Dynamic Rule Loading - Load and unload security rules at runtime from contributing modules

🔒 Advanced Authorization

• Annotation-Driven Security - Secure handlers and actions using ColdBox annotations

• Cascading Security - Hierarchical security rules from global to handler to action level

• Functional API - Injectable security service for authorization checks in any application layer

• Custom Validators - Each module can define its own security validator implementation

🔑 Authentication Flexibility

• Multiple Authentication Providers - Works with cbauth, ColdFusion native authentication, or custom providers

• Provider Agnostic - Implements standard interfaces allowing any authentication system integration

• Basic Authentication - Built-in HTTP Basic Auth with credential storage

⚡ Security Response Handling

• Granular Control - Distinguish between authentication failures and authorization denials

• Customizable Actions - Configure different responses for invalid authentication vs. authorization

• Event-Driven - Hook into security events for custom logging, monitoring, or response handling

📜 License

CBSecurity is open-source software licensed under the .

📚 Resources

📖 Documentation & Support

• Documentation -

• Source Code -

• Issue Tracker -

• Community Forum -

💬 Getting Help

The ColdBox community is active and ready to help:

• Community Forum - Ask questions and share knowledge with other developers

• GitHub Issues - Report bugs and request features

• Professional Support - Enterprise support available through Ortus Solutions

🏢 Professional Open Source

CBSecurity is professionally developed and supported by , a leader in CFML consulting and development.

🚀 Enterprise Services

Ortus Solutions offers comprehensive professional services for CBSecurity and the ColdBox Platform:

• 🛠️ Custom Development - Tailored security solutions for your specific requirements

• 👨‍🏫 Professional Support & Mentoring - Expert guidance from the creators of ColdBox

• 📚 Training - Official ColdBox and security training programs

• 🔍 Architecture & Code Reviews - Expert evaluation of your security implementation

🙏 HONOR GOES TO GOD ABOVE ALL

Because of His grace, this project exists. If you don't like this, then don't read it; it's not for you.

"Therefore being justified by faith, we have peace with God through our Lord Jesus Christ: By whom also we have access by faith into this grace wherein we stand, and rejoice in hope of the glory of God." Romans 5:5

CBSecurity 3 is a major release and it will require some updates in order for you to fully upgrade your previous versions.

Adobe 2016, 2018 Support Dropped

These engines are no longer supported

JwtService Validator Deprecated

In the previous releases the validator for JWT was JwtService@cbsecurity. This has now changed to JwtAuthValidator@cbsecurity. So make sure you update your configurations.

CBAuthValidator Deprecated

The CBAuthValidator has been renamed to just AuthValidator. This validator is now not cbauth focused but IAuthService focused. It also supports role and permission based authorization.

Settings Structure

The entire settings structure has been redesigned to support many features in a a more concise and block approach. All top-level settings have been removed and added to specific sections. Please review the section in detail to see where the new settings belongs to.

Added

• Official Adobe 2023 Support

• Gitflows for testing all engines and all versions of ColdBox

Added

• Added a new helper: createPassword() on the CBSecurity model to generate secure, random passwords with letters, symbols, and numbers.

Added

• Migrations table for security logs

• New bootsrap icons + css + js

Added

• Added guest() method to CBSecurity model and Authorizable delegate

CBSecurity 3.4.3 is a maintenance release that addresses ColdBox 7 compatibility requirements.

ColdBox 7 Compliance

View Rendering Method Update

The primary change in this release addresses a breaking change in ColdBox 7:

• Fixed: Renamed renderView() to view() to be ColdBox 7 compliant

• This change ensures CBSecurity works properly with ColdBox 7's updated view rendering methods

• Maintains backward compatibility with earlier ColdBox versions

System Requirements

• ColdBox Framework: 6+ (ColdBox 7 compliant)

• CFML Engines: Adobe ColdFusion 2018+, Lucee 5+

• CommandBox: 5.0+

Compatibility Notes

This release maintains full backward compatibility with existing CBSecurity 3.x installations while ensuring forward compatibility with ColdBox 7.

Migration Notes

No migration steps are required for this release. Simply update your CBSecurity module dependency:

Related Resources

CBSecurity 3.4.2 is a maintenance release that addresses database compatibility issues and improves documentation standards.

Database Compatibility Improvements

Oracle Database Support

• Fixed: Updated security logs columns to work with Oracle databases using clob data type

• This enhancement ensures CBSecurity's logging functionality works seamlessly with Oracle database environments

• Improves enterprise database compatibility for security audit trails

Security Logs Configuration

• Fixed: cbsecurity_logs table name is now properly referenced instead of being hard-coded

• This change ensures the module setting for the logs table name is properly respected

• Provides better flexibility for custom table naming conventions

Documentation Improvements

Markdown Rules Updates

• Fixed: Updated markdown rules to eliminate duplicate headers

• Improved documentation consistency and readability

• Enhanced GitBook compatibility and navigation structure

System Requirements

• ColdBox Framework: 6+

• CFML Engines: Adobe ColdFusion 2018+, Lucee 5+

• CommandBox: 5.0+

• Database: Any supported database (Oracle compatibility enhanced)

Compatibility Notes

This release maintains full backward compatibility with existing CBSecurity 3.x installations while improving database compatibility across different database engines.

Migration Notes

No migration steps are required for this release. Simply update your CBSecurity module dependency:

Oracle Database Users

If you're using Oracle and experiencing issues with security logs, this update will resolve column type compatibility issues. No manual database changes are required.

Related Resources

Compatibility

• Dropped Adobe ColdFusion 2016

• New JwtAuthValidator instead of mixing concerns with the JwtService. You will have to update your configuration to use this validator instead of the JwtService

• All settings have changed. They are not single-level anymore. They are now grouped by functionality. Please see the area for the new approach.

Added

• New ability for the firewall to log all action events to a database table.

• If enabled, a new visualizer can visualize all settings and firewall events via the log table.

• New Basic Auth validator and basic auth user credentials storage system. This will allow you to secure apps where no database interaction is needed or required.

Fixed

• Disable lastAccessTimeouts for JWT CacheTokenStorage BOX-128

• Fix spelling of property datasource on queryExecute that was causing a read issue.

The source code for this book is hosted on GitHub: . You can freely contribute to it and submit pull requests. The contents of this book are copyrighted by and cannot be altered or reproduced without the author's consent. All content is provided "As-Is" and can be freely distributed.

• The majority of code examples in this book are done in cfscript.

• The majority of code generation and running of examples are done via CommandBox: The ColdFusion (CFML) CLI, Package Manager, REPL - ​

CBSecurity 3.4.1 is a targeted maintenance release that addresses a specific database compatibility issue with Microsoft SQL Server.

Database Compatibility Fix

Microsoft SQL Server Support

Luis Fernando Majano Lainez

Luis Majano is a Computer Engineer who has been developing and designing software systems since 2000. He was born in in the late 70s, during a period of economical instability and civil war. He lived in El Salvador until 1995 and then moved to Miami, Florida where he completed his Bachelor of Science in Computer Engineering at .

He is the CEO of , a consulting firm specializing in web development, ColdFusion (CFML), Java development, and all open-source professional services under the ColdBox and ContentBox stack. He is the creator of ColdBox, ContentBox, WireBox, CommandBox, LogBox, and anything “BOX” and contributes to many open-source ColdFusion/Java projects. You can read his blog at

CBSecurity 3.5.0 is a significant modernization release that brings enhanced platform support, improved development workflows, and comprehensive AI assistance capabilities.

BoxLang Certification

CBSecurity 3.5.0 has been fully certified for BoxLang, the modern dynamic JVM language. This includes:

• Complete compatibility testing with BoxLang runtime

• Validated functionality across all CBSecurity features

• Updated examples and documentation for BoxLang syntax

• Full test harness coverage for BoxLang environments

ColdBox 8 Support

This release adds official support and certification for ColdBox 8, ensuring CBSecurity works seamlessly with the latest ColdBox framework features and improvements.

Enhanced Development Workflows

GitHub Actions Updates

The project has migrated to modern GitHub Actions workflows, providing:

• Improved CI/CD pipeline reliability

• Better cross-platform testing coverage

• Automated testing across multiple CFML engines

• Enhanced security scanning and dependency management

Test Harness Improvements

The test harness has been significantly upgraded to provide:

• Better local development experience

• Enhanced integration testing capabilities

• Improved TestBox runner configuration

• Streamlined server startup and configuration

AI-Powered Development Assistance

GitHub Copilot Instructions

CBSecurity 3.5.0 introduces comprehensive AI assistance through:

• .github/copilot-instructions.md - Detailed guidance for AI agents covering:

  • Module architecture and component relationships

  • Security validator patterns and implementation

  • Interceptor flow and event handling

This enhancement enables AI tools like GitHub Copilot to provide more accurate and contextual assistance when working with CBSecurity.

Developer Experience Improvements

Documentation Enhancements

• Documented test-harness structure and usage patterns

• Enhanced TestBox runner details for local integration testing

• Improved developer workflow documentation

• Better guidance for module extension and customization

Local Development Setup

The release includes improved documentation and tooling for:

• Setting up local development environments

• Running integration tests via test-harness/tests/runner.cfm

• Using box.json scripts for common development tasks

• Server configuration for different CFML engines

System Requirements

• ColdBox Framework: 6+ (ColdBox 8 certified)

• CFML Engines: BoxLang 1+ (Preferred), Lucee 5+, Adobe 2023+

• CommandBox: 5.0+

Compatibility Notes

This release maintains full backward compatibility with existing CBSecurity 3.x installations. No breaking changes have been introduced.

Migration Notes

No migration steps are required for this release. Simply update your CBSecurity module dependency:

Related Resources