Jump to content
View in the app

A better way to browse. Learn more.
FMForums.com

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

FM Security

jackal101
in Security Concepts

Featured Replies

  • Newbies

Greetings,

There are plenty of discussions about security issues when creating a custom login screen. Can't I just remove the admin? Is that secure enough? 

or have two fmp files;  login.fmp and main.fmp and using the re-login script.

When it comes to security, anything with the word "just" is typically not enough.

Security has many layers that we need to consider. And all of it has to be weighed against the data we have, the risk of a breach, and the threat of said breach. Feel free to ask about specifics, I will outline a couple things that help us understand why its typically not wise to create a custom login screen. No doubt others will add to it.

  • Authentication - if they are in the file, you have already bypassed the first line of defense. And you have to take additional steps to ensure they can't perform unauthorized actions.
  • DDoS style attacks are much easier if you just let them in the file. They may not be able to get the data, if you have properly secured it using FileMaker's built in security privileges...but they can still crash the server.
  • It has been demoed fairly extensively that, while FileMaker's native security is very solid, custom login screens, more often than not, open a hole to allow someone to access the data.
  • If any of your security model relies on scripts executing, they can't be trusted. Someone can stop any script from running. This is not something you can prevent from happening. It's not a security threat in itself, but if the manipulation of a user's authorization or authentication rely scripts, it can be easily defeated.

https://community.filemaker.com/videos/1697

I know this thread about 2 Factor Authentication was long, but it's worth the read. In the end, you have to decide if a proven risk is worth the UI gain for something that is seen so infrequently.

    • Thanks 1
    • Author
    • Newbies

    Thank you Josh.

    Main concern is the admin or user that could modify the layout.. I tried to open fmp files using passkey, all accounts are there and i can delete all the password. 

    Any negative effect if I will remove the admin account (Full access) ?

    Create an account or sign in to comment

    https://fmforums.com/topic/103796-fm-security/
    Go to topic listing

    Important Information

    By using this site, you agree to our Terms of Use.

    I accept

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.