400 errors trying to get to CF Admin

Wolf, a few things.

1- While I have never seen that error before myself (which is telling), notice that it ends reporting that the problem was in “trying to use an ErrorDocument to handle the request”.

As you may know, that ErrorDocument is an Apache (or .htaccess) directive. Sometimes people modify that to pass a failing request to CF--which could setup a circular response, as the CF page called may then itself fail. I don’t KNOW that could cause this error, but it might.

So first, look for how the ErrorDocument directive is configured for this server or vhost. Beyond eyeballing the conf files (which with includes can get hariy), note that there are args built into httpd or apachectl that can help with debugging the conf files.

2 - Since you say the problem is in accessing the CF Admin itself, and since I know you’re in DOD (right?), you guys may be working under the auspices of the old STIG (from CF11 in 2014), which as you may recall it used to say tell folks to DISABLE CF’s built-in web server and instead configure Apache (or IIS) to talk to it. That contentious advice has led to much hoopla in the decade-plus since.

The problem is that first CF2016 blocked that (accessing the CF Admin via Apache or IIS) by default, for the sake of grave security risks. And then people (especially those “forced to follow the STIG) shared tweaks to get around that .

But then in Jul 2023 Adobe shut that door in an update. It’s possible your folks, like others, opted to not go beyond that update because of this (though I’d think doing that would be seen by sec folks as worse than following the STIG mandate to not enable the built-in web server). Your folks may even have done any number of gymnastics that have things configured in a non-standard way.

I raise all this as it might help explain why your error is one we don’t hear about often.  It also can make it challenging for us to help here, playing battleship as we must because of your being behind the wall of DOD  (and made all the more challenging to play, if your board doesn’t match the normal setup). :-)

3 - Here’s what should seem good news: if you’d not heard, note that Adobe and DOD have now released a new CF STIG. It’s oddly called v1r1, but it’s from Nov 2025.

It’s available via the zip from the cyber.mil site, which can be found via searching for coldfusion on the main STIG download site. And it was announced by Adobe 10 days ago in a post here. Sadly the details (84 rules) are in an xml file not a pdf. Note I’ve added a comment at the Adobe blog post about the STIG available to read more easily online at the stigui.com site.

While the post (from Feb 2026) refers to the STIG as being for CF2023, my sense is that the effort was begun on CF2023 and didn’t get finalized (within DOD) until after CF2025 had come out.  Anyway, its concepts should apply as well to CF2025--but I am not a lawyer, don’t work for Adobe, and don’t work in DOD. :-)

And the STIG could be said to apply to earlier CF versions as well, but as you may know CF2021 got its last updates in Dec 2025. It should be thoroughly counter to any DOD security policy for one to be running earlier versions--and even CF2021 now that CF2023/2025 (alone) got an update last month (which means there’s a known vuln in 2021 that will not be patched by Adobe).

And note finally that it NO LONGER REQUIRES DISABLING CF’S BUILT-IN WEB SERVER. It just requires that “The ColdFusion built-in Tomcat Web Server must use FIPS-validated ciphers on secured connectors”.  More in the details on the rule (accessed in that web site by clicking on the rule).

Anyway, hope the first point above might help you gather more diagnostics or do more debugging on the problem you’re facing.

Hi ​@WolfShade ,

The last issue you reported received a number of suggestions. It still awaits an update from you, as promised.

The 2 commonest causes of “400 Bad Request” are:

• corrupted cookies;
• headers with payloads that are too large.

If either applies to you, then possible solutions are:

1. Check the URL used for the ColdFusion Administrator. and ensure it is correct.
2. Test by opening the URL in a different browser. If the issue persists, continue to the next steps.
3. Clear all the browser cache and cookies for the page.
4. If additional headers had been added manually, then reduce the number of headers or the header size.