How to protect access="remote" functions in CFCs from snoopers?

Question

One of the great features of CFCs is the ability to reuse the code for both a straight .cfm page and for Flex apps.

One such app that I devleoped uses Flex for its charting capabilities and needs access to a 'getResults()' function in the cfc.

All of this content is behind an authentication mechanism, but since the cfc will open itself up to a wsdl request:

https://myserver.com/c/functions.cfc?wsdl

and will actually return the results to the browser if the URL query is crafted properly:

https://myserver.com/c/functions.cfc?method=getResults&Term=2009&Course=Anatomy

What techniques have people used to protect the cfc from direct access UNLESS the request is coming directly from the CFML processor OR from Flex Remoting?

Answer 1

You could utilize some of the CGI scope variables to check where the request is coming from.

ie: CGI.REMOTE_HOST, CGI.REMOTE_ADDR

So, you'd probably construct a new function with a access="public" property which checks the values of those variables against a list of valid values for your server. If it returns true, you would execute the request and if it returns false, you would throw/return some sort of error.