FileMaker Server Web Config File - Security Risk

Anyone managing FileMaker 19 Servers should read this post I’ve just added to Claris’s ‘Report a Problem’ discussions:

I’ve no information on Mac, Linux or Claris Cloud servers I’m afraid.


Thanks a lot Andy,

it's really a major concern. I wonder how come the product was released with such a big issue ... I can hear the members thoughts about this.

ouch!! Thank You so much, Andy!

The CISO's on some customer sites just waited for that )-:


@planteg and @Markus, yes. We were far from pleased to find every one of our cloud based v19 servers’ admin console available via the Internet and only protected by the username and password. I’ve no idea why they changed to port 443, as we could previously easily block 16000, 16001 using the firewall. But to not only enable access via the standard https protocol and then remove the protection during each upgrade beggars belief.

On top of this, as things stand, we currently have to reconfigure the web.config file after each update, close all the FileMaker files and then restart the FileMaker Service to re enable port 443 protection. Not much fun when responsible for many servers.

1 Like

Also, to emphasise, in the Windows web.config file, all of the brute force protection code already exists, it is commented out. Simply search on fac_res and it will find the appropriate text.

Simply remove the !<— and —> commenting out and replace
<IP-Address-to-Grant_Access> with the server internal IP address, then restart the server or FileMaker Service.

The Claris information for 19.4.1 for Windows states that the whole rule has to be added. Again, we’ve no Mac or Linux servers that we can check, but the Apache changes are within the Claris link and may or may not include the Apache specific text.


Egads, this is terrible. I just tried it on my FileMaker server being hosed on macOS, which is running WebDirect, and indeed - the url: is now exposed to the public internet.

To fix this bug on macOS with FileMaker 19:

  1. Navigate to /Library/FileMaker Server/HTTPServer/conf/
  2. make a backup of the original file httpd.conf.2.4
  3. using a text editor, uncomment lines 505-508 (by removing the first '#' character on each line)
  4. on the line which says
    Require ip <IP-Address-to-Grant_Access> put your own IP address insetad (do not use brackets, e.g. not <>
  5. it's good practice to note this edit, so I add a comment line right above it as shown below
  6. the final result will look like this (give or take)
# MyName Date -  prevent admin-server from being available on public internet
#    see
<Location "/admin-console">
    Require all denied
    Require ip
  1. save the file
  2. Restart the Apache webserver by issuing this command in
    sudo /Library/FileMaker Server/HTTPServer/conf/httpd.conf.2.4 graceful