CFCs can only be access remotely if their access attribute (of the CFFunction) is set to "Remote". Furthermore, If you have the OnRequest() method of your Application.cfc, you cannot call CFCs directly (unless you dynamically delete this method in the OnRequestStart().
If you are nervous about CFC security, the failsafe solution is to move your CFCs out of the webroot. When doing that, you either have to map your CFC paths or use this: "Creating ColdFusion Components In Parent Directories (From Sub Directories) Without Mapped Paths" http://www.bennadel.com/index.cfm?dax=blog:348.view But, the bottom line is that if none of your CFCs are set to use remote access, then you shouldn't have anything to worry about... As far as I know... Smarter people can comment here :) ...................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 1:04 PM To: CF-Talk Subject: CFC security All, I'm lookiing for some insight on cfc securtity. For example if someone knew the webroot_path/folder/ where cfcs were located, would it easy for somoeone to point to a cfc as a Web service and retrieve, delete or insert data? If yes to the above question, what are some good approaches to securing cfcs? Thanks. D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:259461 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4