ColdFusion must disable all remote and client-side debugging features, including Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279044	SRG-APP-000141-AS-000095	APAS-CF-000220	SV-279044r1171508_rule	2025-12-19	1

Description
Debugging and inspection features in application servers, such as ColdFusion's Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging, are valuable tools during development but pose significant security risks if left enabled in production environments. These features can expose detailed error messages, internal server logic, application structure, variable contents, and system information that could be leveraged by attackers to gain unauthorized access, identify exploitable vulnerabilities, or conduct reconnaissance. Allowing remote inspection or detailed debugging output in a production environment undermines the principle of least privilege and increases the risk of unauthorized disclosure of sensitive information. This violates secure coding and deployment best practices. Disabling these features mitigates the risk of information leakage. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000266-AS-000169

Description

Debugging and inspection features in application servers, such as ColdFusion's Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging, are valuable tools during development but pose significant security risks if left enabled in production environments. These features can expose detailed error messages, internal server logic, application structure, variable contents, and system information that could be leveraged by attackers to gain unauthorized access, identify exploitable vulnerabilities, or conduct reconnaissance. Allowing remote inspection or detailed debugging output in a production environment undermines the principle of least privilege and increases the risk of unauthorized disclosure of sensitive information. This violates secure coding and deployment best practices. Disabling these features mitigates the risk of information leakage. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000266-AS-000169

ℹ️ Check
Validate Debugging and Logging settings. From the Admin Console Landing Screen, navigate to Debugging & Logging. In the "Remote Inspection Settings" tab, if "Allow Remote Inspection" is checked, this is a finding. In the "Debug Output Settings" tab, if "Enable Robust Exception Information" is checked, this is a finding. If "Enable AJAX Debug Log Window" is checked, this is a finding. In the "Debugger Settings" tab, if "Allow Line Debugging" is checked, this is a finding.

ℹ️ Check

Validate Debugging and Logging settings. From the Admin Console Landing Screen, navigate to Debugging & Logging. In the "Remote Inspection Settings" tab, if "Allow Remote Inspection" is checked, this is a finding. In the "Debug Output Settings" tab, if "Enable Robust Exception Information" is checked, this is a finding. If "Enable AJAX Debug Log Window" is checked, this is a finding. In the "Debugger Settings" tab, if "Allow Line Debugging" is checked, this is a finding.

✔️ Fix
Configure Debugging and Logging settings. 1. From the Admin Console Landing Screen, navigate to Debugging & Logging. 2. In the "Remote Inspection Settings" tab, ensure "Allow Remote Inspection" is unchecked. 3. Select "Submit Changes". 4. In the "Debug Output Settings" tab, ensure "Enable Robust Exception Information" is unchecked. 5. Ensure "Enable AJAX Debug Log Window" is unchecked. 6. Select "Submit Changes". 7. In the Debugger Settings tab, ensure "Allow Line Debugging" is unchecked. 8. Select "Submit Changes".

✔️ Fix

Configure Debugging and Logging settings. 1. From the Admin Console Landing Screen, navigate to Debugging & Logging. 2. In the "Remote Inspection Settings" tab, ensure "Allow Remote Inspection" is unchecked. 3. Select "Submit Changes". 4. In the "Debug Output Settings" tab, ensure "Enable Robust Exception Information" is unchecked. 5. Ensure "Enable AJAX Debug Log Window" is unchecked. 6. Select "Submit Changes". 7. In the Debugger Settings tab, ensure "Allow Line Debugging" is unchecked. 8. Select "Submit Changes".