> Filtering means "allow unless it matches". A security > measure should be "deny unless it matches".
I believe that depends on the proportion of wanted vs. unwanted items. On a firewall, this is the best approach because there are far more ports that you don't want to have available than there are that you do want available, so a "deny everything and allow these few" approach is workable. Trying to apply the same logic to URLs isn't workable in my opinion. With dynamic web applications there are a virtually unlimited number of "good" URLs that are possible, and only a handful that are undesirable. This is especially true if you pass session tokens through the URL for session management. I can think of a few ways to implement a security system to allow only "approved" URLs, but none of them are any more effective than using secure coding methods to begin with. If you have a novel approach I'd be interested in learning about it. -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311151 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4