16 FileMaker Pro Web Publishing Security Guidelines
Important considerations for using the Web Companion
Do not enable the Web Companion unless you intend to publish your database over the web, and
have enabled password and access privilege protection or are using the Web Security Database.
In general, database files should not be stored in the Web folder (or sub folders).
Do not enable remote administration via the Web Companion unless you intend to administer
your databases remotely. Remote administration enables you to:
administer the Web Security Database remotely
use the
dbopen
CGI action
use the
dbclose
CGI action
download FileMaker Pro files from the FileMaker Pro Web folder
use the
HTTP PUT
command for uploading files into the Web folder
With Remote Administration enabled it is possible to use
HTTP PUT
to place a CDML format file
within the Web folder. A file could include the
FMP Include
tag, which could specify a CDML
format file that was in the cdml_format_files folder. You can limit your exposure to such an attack
by only enabling remote administration when absolutely necessary.
Important
Only enable Remote Administration if you need to use it. Consider using SSL to secure
remote administration communications (which will contain database names, user IDs and
passwords) in order to prevent other Internet users from obtaining this information. For more
information, see Secure Sockets Layer (SSL) security for Custom Web Publishing on page 7.
The cdml_format_files folder
If you're doing Custom Web Publishing, use the cdml_format_files folder to restrict browser
clients from directly viewing the source code of your CDML format pages. This prevents the
source code and logic of your web site design from being viewed by guests, while still allowing the
Web Companion to serve your data.
For more information on using the cdml_format_files folder with Custom Web Publishing, see
chapter 4, Using the cdml_format_files folder.