If you are just using POST, then only the FileMaker CWP server requires data. But if you're collecting data, why stop there? Adding an SSL to your web server will benefit you as well in securing your PHP forms.
You can do a POST via PHP/CWP to FileMaker without encryption on either the web or CWP server, however a quick search of "is POST secure", comes up with a number of red flag articles that suggest using SSL.
Don't forget to protect your POST calls by using prepared statements as well.
Ok good. I will only be using POST to send data from the web form to the FM database via CWP. There is never any data collection going on. That's really good. Do I need to tell the PHP site to use HTTPS or will it do this by default when it uses the CWP to post to FM? It's not sending any sensitive data in the POST, but when it makes the connection to FM PHP API it authenticates from the user's FM login credentials. Are those sent secure by default when using the API for PHP?