Custom Web Publishing (CWP) Security
BeginnerSecurity considerations for FileMaker solutions exposed via the XML and PHP Custom Web Publishing interfaces.
What you'll learn
- How CWP authentication works and its risks
- Restricting CWP access with extended privileges
- XSS and injection risks in PHP CWP
- Migrating from CWP to the Data API for security improvements
Custom Web Publishing (CWP) is an older FileMaker technology that exposes your database via XML or PHP. While the Data API is preferred for new development, many existing solutions use CWP. It has unique security concerns: XML CWP sends credentials in every request, and the PHP API ships with demo files that expose configuration details.
CWP authentication risks
XML CWP and PHP CWP send the FileMaker username and password with every request -- typically in the URL or as HTTP Basic Auth headers. This means credentials appear in: web server access logs, browser history, and network packet captures. Always use HTTPS for CWP. Never embed credentials in a URL that could be bookmarked or shared.
// WRONG: credentials in URL (logged by web server) http://server/fmi/xml/fmresultset.xml?-db=mydb&-lay=Contacts&-findall&-user=admin&-password=secret // Better: credentials in HTTP Basic Auth header // Still sent in every request -- use HTTPS
Sign in to track your progress and pick up where you left off.
Sign in to FM Dojo