WebDirect-Specific Security Considerations

Beginner

WebDirect exposes your FileMaker solution to a browser -- additional security measures that go beyond standard privilege sets.

What you'll learn

  • How WebDirect changes the security threat model
  • Browser-specific risks: developer tools, session hijacking
  • Restricting WebDirect access by IP or authentication
  • Content Security Policy and HTTPS enforcement

WebDirect makes your FileMaker solution accessible in a web browser. This changes the threat model: any internet user can reach the login page, browser developer tools can inspect network traffic, and the session runs in a context with less control than the FileMaker Pro client. WebDirect-specific security considerations address these new vectors.

1/4
1

WebDirect threat model differences

In FileMaker Pro, traffic goes over the FileMaker binary protocol on port 5003. In WebDirect, everything runs over HTTPS in a browser, which means: users can open developer tools and inspect requests, session tokens are in browser storage, CSRF is a theoretical concern on shared devices, and anyone who can reach the URL can see the login page.

Penetration Testing FileMaker SolutionsMulti-Tenant Isolation in FileMaker

Sign in to track your progress and pick up where you left off.

Sign in to FM Dojo