FuseGuard
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.
Latest Version: 3.6.0 (change log) Released 2024-02-21
"Highly Recommended!" — The CFHour Podcast
FuseGuard was easy to install on ColdFusion Enterprise, has blocked numerous hack attempts ... I only wish I'd been using FuseGuard earlier! — Aaron Longnion
"We found FuseGuard to be very extensible so that we could customize it to handle some of the quirks in some legacy applications. After a few days... with FuseGuard our web applications easily passed the security audit with flying colors, so we rolled it out into production across all of our sites." — Steven Erat
How does FuseGuard work?
FuseGuard inspects requests before your CFML executes (typically in onRequestStart of an Application.cfc). If FuseGuard is able to determine that the request is malicious it will log or block the request from continueing execution.
FuseGuard looks for several types of malicious requests including:
- Malicious File Uploads
- Remote Code Execution
- Cross Site Scripting / XSS
- SQL Injection
- Session Hijacking
- Cross Site Request Forgery
- Path Traversal Attacks
- Null Byte Injection
- Password Dictionary Attacks
- CRLF Injection
- Malicious User Agents
- XML Entity Injection
- XML External DTD Injection
Note: Although web application firewalls like FuseGuard can block many types of malicious requests it is impossible for any product to block 100% of all security threats. The best defense has many layers. We strongly encourage you to review and scan your code for security vulnerabilities & remediate them in the source code. We offer ColdFusion Security Training, and ColdFusion Security Consulting services to our clients. You should also ensure that your server is installed and configured according to the ColdFusion Lockdown Guide.
Getting Started with FuseGuard
You can start logging or blocking malicious requests in less than 10 minutes.
- Request a free trial
- Copy the
fuseguardfolder on to your server - Add a few lines of code we supply to your
Application.cfmorApplication.cfcfile - Configure to determine which types of attacks you want to block or log.
System Requirements
FuseGuard can run on the following CFML engines:
- Adobe ColdFusion 9, 10, 11, 2016, 2018, 2021 or 2023
- Lucee 4.5 & Lucee 5
- Railo 4
Note: Even though FuseGuard works on older versions of ColdFusion or Lucee using a version that is no longer supported or patched by the vendor is not recommended.
Using a database for logging is not required (you can log to file or email), we currently support these database platforms:
- MySQL 4 or Greater
- Microsoft SQL Server 7 or Greater
- PostgreSQL
- Apache Derby (Included in CF8 or Greater, script for creating DB and Datasource Included)
Licensing
There are two standard licensing options, however if you have a licensing need that doesn't fit within our model we would be happy to work out a custom quote.
- Server License Subscription $48/month/server - Billed Annually - Allows you to use the firewall on an unlimited number of Applications residing on ONE physical server. The physical server may contain multiple J2EE server instances, multiple virtualized operating systems (such as docker instances or virtualization).
- Enterprise License Subscription $450/month - Billed Annually - Software may be used on multiple physical servers, and applications within the same organization located in the same country. Excludes Resale, OEM or Hosting Providers.
- Elastic Cloud / Docker Use - For Applications that run on a number of servers that changes dynamically, the enterprise license can be used. If your elastic use case typically runs on less than 10 servers please Contact Us.
- OEM / Reseller / Hosting Provider - Please Contact Us
Note: the subscription license entitles you to the latest version of FuseGuard as long as your license is current.
Frequently Asked Licensing Questions
Does the Server license cover multiple ColdFusion instances?
Yes, the server license covers an unlimited number of FuseGuard instances on the same physical server. This includes multiple Applications within a single ColdFusion instance, multiple applications on multiple instances of ColdFusion (on the same physcial server), and multiple instances of ColdFusion on multiple virtualized servers (running from the same physical host computer)
Do I need to purchase licenses for Development, Staging, Testing Servers?
No, a single FuseGuard license may be used on unlimited non-production servers, including development, staging, testing / qa, backup, hot-standby.
Is FuseGuard version 2.x still supported?
FuseGuard version 2 will be supported until January 1, 2020. After January 1, 2020 no further updates will be made to the FuseGuard 2.x version. You must purchase version 3 to get future updates.
Customizable & Configurable
Because the firewall is written in ColdFusion, you will find it very easy to extend, and configure. Other firewalls may have domain specific languages you need to learn in order to configure them properly. You already use CFML why not use that to configure your WAF.
You can also write your own custom filter in CFML that runs inside the firewall.
Checkout the Documentation and CFC API Reference
Other Security Products & Services
- HackMyCF - A Service that checks your ColdFusion server for remote vulnerabilites
- Fixinator - A ColdFusion code security scanner.
- ColdFusion Security Consulting
- CFML Security Checklist Included Free with FuseGuard Purchase
You can get Fixinator and HackMyCF along with FuseGuard in one package called the Foundeo Continuous Security Bundle.
ColdFusion is a trademark of Adobe Systems Incorporated.