2 Replies Latest reply on Nov 2, 2015 5:49 PM by danjamins

    FileMaker CWP SSL Certificate Question

    danjamins

      Hi All,

       

      So I setup a CWP page on my website (let's just say mywebsite.com) which is hosted by hostmonster and the domain is a godaddy domain.

       

      It connects to my inhouse FileMaker server to POST data through the PHP API into a few tables, it also is restricted to require the user has an active account in the database.

       

      My question is do I need to only buy an SSL cert for my inhouse server, which is on mydomain.com and doesn't share the same domain name as my website, or do I need to buy both a cert for the website and server in order to encrypt the connection between the CWP website and my server?

       

      Thanks!

       

      Dan.

        • 1. Re: FileMaker CWP SSL Certificate Question
          mikebeargie

          If you are just using POST, then only the FileMaker CWP server requires data. But if you're collecting data, why stop there? Adding an SSL to your web server will benefit you as well in securing your PHP forms.

           

          You can do a POST via PHP/CWP to FileMaker without encryption on either the web or CWP server, however a quick search of "is POST secure", comes up with a number of red flag articles that suggest using SSL.

          security - How secure is a HTTP POST? - Stack Overflow

           

          Don't forget to protect your POST calls by using prepared statements as well.

          • 2. Re: FileMaker CWP SSL Certificate Question
            danjamins

            Ok good. I will only be using POST to send data from the web form to the FM database via CWP. There is never any data collection going on. That's really good. Do I need to tell the PHP site to use HTTPS or will it do this by default when it uses the CWP to post to FM? It's not sending any sensitive data in the POST, but when it makes the connection to FM PHP API it authenticates from the user's FM login credentials. Are those sent secure by default when using the API for PHP?