Hardening WebDirect for Public Deployments

Beginner

Security measures specific to WebDirect deployments accessible over the public internet.

What you'll learn

  • Restricting WebDirect access to authorized users
  • Rate limiting and brute-force prevention for WebDirect logins
  • Security headers for the WebDirect response
  • Monitoring WebDirect for unusual access patterns

When WebDirect is accessible from the public internet, your FileMaker login page is visible to the entire internet. Hardening a public WebDirect deployment means restricting who can reach the login page, preventing brute-force attacks, and ensuring the solution itself does not expose more than intended to an authenticated web user.

1/4
1

Restricting access to known users or IPs

Use a reverse proxy (nginx, Cloudflare, AWS ALB) in front of WebDirect to: restrict access to specific IP ranges (if users are on a known network), require additional authentication (Cloudflare Access, Basic Auth on the proxy) before reaching the FileMaker login page, or geo-restrict to your country of operation.

TEXT
# nginx: restrict WebDirect to known IP range:
location /fmwebdirect {
  allow 10.0.0.0/8;      # internal network
  allow 203.0.113.0/24;  # known office IPs
  deny all;
  proxy_pass https://localhost;
}
Mobile-Responsive WebDirect LayoutsMonitoring WebDirect Usage in Admin Console

Sign in to track your progress and pick up where you left off.

Sign in to FM Dojo