Security
Privilege sets, accounts, encryption, API security, and best practices for securing FileMaker solutions.
Privilege Sets: FileMaker's Permission Layer
Understand what privilege sets are and how they control every action a user can take in a FileMaker solution.
FileMaker Account Types
Local accounts, external server accounts, OAuth, and Claris ID -- know which type to use and why.
Extended Privileges
Extended privileges unlock specific access methods -- Data API, ODBC, Admin API, WebDirect. Know what each one enables.
Record-Level Access Control
Use calculations to restrict which records individual users can view, edit, or delete.
Layout and Script Access Control
Restrict which layouts users can navigate to and which scripts they can run directly.
Controlling Value List and Field Access
Restrict which fields users can see or edit, and understand how value list visibility interacts with record access.
The Guest Account: Risks and Uses
When enabling the Guest account is appropriate, how to lock it down, and why it is dangerous when misused.
Designing a Privilege Set Hierarchy
Plan a coherent role structure: how many privilege sets you need, what each should cover, and how to avoid permission sprawl.
Security at the Field Definition Level
Auto-enter, validation, and calculation options that enforce data integrity independent of the UI.
Account Management Best Practices
Password policies, account auditing, disabling accounts, and managing credentials across a live solution.
Encryption at Rest
Enable FileMaker's built-in file encryption to protect data when the database file is offline or physically stolen.
SSL/TLS on FileMaker Server
Install and manage SSL certificates on FileMaker Server to encrypt data in transit between clients and the server.
Securing Container Fields
Container fields store files, images, and binary data -- know how to control access, encryption, and storage location.
Audit Logging in FileMaker
Build a record of who changed what and when -- FileMaker does not log by default, so you must build it.
Password Security Policies
Configure meaningful password requirements and understand what FileMaker can and cannot enforce.
OAuth and SAML Authentication in FileMaker
Connect FileMaker authentication to identity providers like Google, Microsoft Entra, and SAML-based SSO systems.
Data API Security Best Practices
Secure your FileMaker Data API endpoints against unauthorized access, credential exposure, and over-permissioned service accounts.
SQL Injection Risks in FileMaker
Understand how ExecuteSQL and the Data API can be exploited through unsanitized input, and how to prevent it.
Field-Level Encryption for Sensitive Data
Encrypt sensitive field values individually using CryptEncrypt and CryptDecrypt for data that must stay protected even from privileged users.
Multi-Factor Authentication for FileMaker
MFA options available for FileMaker solutions -- what the platform supports natively and how to extend it via external IdPs.
Comparing Privilege Sets: Built-in vs. Custom
A practical comparison of built-in privilege sets and when a custom set is the right choice.
Network Hardening for FileMaker Server
Firewall rules, port management, and network architecture patterns that reduce the attack surface of a FileMaker Server deployment.
Session Management and Idle Timeouts
Control inactive sessions to limit exposure from unattended workstations and token overhang.
RunWithFullAccess: Power and Risk
Understand the security implications of RunWithFullAccess scripts and how to use the feature safely.
Least Privilege Design Principles
Apply the principle of least privilege to every access decision in a FileMaker solution.
The Data Separation Model
Separate your UI file from your data file to simplify deployments, protect data, and enable schema-level security.
Credential Storage in FileMaker Solutions
How to store API keys, passwords, and secrets within a FileMaker solution safely -- and what never to do.
Common Security Vulnerabilities in FileMaker Solutions
A practical survey of the most frequently exploited security weaknesses in real-world FileMaker deployments.
Incident Response for FileMaker Security Events
What to do when you detect a potential security breach: immediate containment, investigation, and recovery steps.
Security Audit Checklist for FileMaker Solutions
A structured checklist to assess the security posture of any FileMaker solution before go-live or as a periodic review.
Kiosk Mode Security
Lock down FileMaker solutions running in kiosk mode: prevent bypassing the app, limit menus, and control navigation.
OS Hardening for FileMaker Server
Operating system security practices that protect the host running FileMaker Server from unauthorized access.
Backup Encryption and Secure Backup Storage
Protect FileMaker backups so a stolen backup file does not become a data breach.
GDPR and Privacy Compliance in FileMaker
Practical steps for aligning a FileMaker solution with GDPR and general data privacy requirements.
Penetration Testing FileMaker Solutions
What a penetration test of a FileMaker solution looks like and how to interpret and act on the findings.
WebDirect-Specific Security Considerations
WebDirect exposes your FileMaker solution to a browser -- additional security measures that go beyond standard privilege sets.
Multi-Tenant Isolation in FileMaker
Design patterns for running multiple customer organizations in a single FileMaker deployment with complete data isolation.
FileMaker Go Security on Mobile Devices
Mobile-specific security considerations for solutions deployed on iOS with FileMaker Go.
Custom Web Publishing (CWP) Security
Security considerations for FileMaker solutions exposed via the XML and PHP Custom Web Publishing interfaces.
A Complete FileMaker Security Framework
Bringing it all together: a layered security model that covers every attack vector from network to field level.