Introduction to FileMaker Pro web security    11

5. 

Layouts are not intended to be used as security measures. Limiting the fields that are displayed 

on web pages is part of a  best practices  approach, to minimize the accidental exposure of fields 

to users on Instant Web Publishing pages. Regardless of which layouts are used, all fields in the 

database are available to CGI requests from any web user, unless the proper access privileges are 

applied to restrict access on a field by field basis. For more information on field by field 

protection, see information in FileMaker Pro online Help on defining groups.

6. 

If you have an open database on a host computer, but you don t want to publish it on the Web, 

be sure Web Companion sharing isn t enabled for that database. 

7. 

To prevent a published database from displaying on the built in home page, rename the database 

to include an underscore character at the end of the filename, before any filename extension (for 

example, Orders_ or Orders_.fp5). If you change the filename, you may need to change references 

to the file in relationships and scripts.  (Alternatively, you can consider not enabling Web 

Companion sharing for the primary database, and using a web only database as a front end to the 

primary database, as described above.)

Note

 This naming method will not prevent the name of the database from being displayed in 

response to the CGI request 

 dbnames

.

8. 

Use the Web Security Database as an alternate method of applying security for Custom Web 

Publishing, and configure security for users and fields. For additional security, do not use blank 

passwords, and do not use the 

All users

 option. See  Protecting Custom Web Publishing solutions  

on page 22 for more information.

9. 

For Custom Web Publishing, FileMaker recommends that you use additional security measures, 

such as the Secure Sockets Layer (SSL) protection offered by third party web server software.

For information on configuring SSL protection for FileMaker Pro Unlimited software using 

Microsoft Internet Information Server (IIS), see  Example: Configuring SSL with Microsoft IIS  

on page 47.

10. 

Test your security.

Using a browser, you can test your web published databases to see what elements are exposed. For 

example:

To view the names of the databases that are published to the web, enter this address in your browser:

http:///FMPro? format= fmp_xml& dbnames

You should only see the names of those databases you intend to publish to the web.

To view the fields that are available on the Web for a record in your database, enter this address 

in your browser:

http:///FMPro? db=abc.fp5& format= fmp_xml& findany

You should only see the names of the fields you intend to expose for that record.

To view the script names in a database, enter this address in your browser:

http:///FMPro? db=abc.fp5& format= fmp_xml& scriptnames

You should only see the names of the scripts you intend to expose for that database.

To view the layout names in a database, enter this address in your browser: