> I've always thought this was more for load distribution > though than security.
No, it's for security. This model is used in high-security configurations to remove all executable functionality, so that if (when?) the web server is compromised, no scripts or programs can be created or modified. It can be done with CF directly using "distributed mode", in which the CF web server integration module is configured to connect to a remote server instead of localhost, or it can be done using a web server configured as a reverse proxy to an internal web server running CF. While this is very effective as a protection against vulnerabilities in your public web server and its OS, this doesn't do anything to protect against application server vulnerabilities such as SQL injection and XSS, which in my opinion are more common, and perhaps more serious. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289390 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
