Rule ID
SV-279107r1171430_rule
Version
V1R1
CCIs
CCI-000366, CCI-000381
CORS is a security feature implemented by web browsers to prevent web pages from making requests to a different domain than the one that served the web page. However, mobile applications often need to access resources from different origins. Enabling CORS allows the server to specify which origins are permitted to access its resources, thereby ensuring secure communication between the mobile application and the server. In ColdFusion, administrators can configure ColdFusion to enable CORS by specifying the allowed origins, methods, and headers. This setting enhances the security of the application by ensuring that only trusted origins can access the server's resources, thereby preventing unauthorized access and data breaches. Satisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095
Validate Mobile Services settings. 1. Ask the administrator if ColdFusion Mobile services are being used by any hosted applications. If hosted applications are using the service, this is not a finding. 2. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. If "Enable mobile's server workflow" is checked, this is a finding. 3. Review the "Enable CORS" setting. If CORS is not enabled, this is a finding. 4. Review the "Mobile server context" setting. If the mobile server context is set to "cfmobile", this is a finding.
Configure Mobile Services settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Uncheck "Enable mobile's server workflow" if it is checked. 3. Enable CORS to address this finding if it is not already enabled. 4. Update the mobile server context to a value other than "cfmobile" if it is currently set to "cfmobile". 5. Select "Submit Changes".