Client side web app direct to FM Rest API

Discussion created by MickCrozier on Nov 8, 2018
Latest reply on Nov 10, 2018 by philipHPG

Hi All

I'm looking to build a web interface to access small parts of a Filemaker application.


The main scenario:

Supervising staff being able enter information about daily activities, any issues, times on site etc.  Staff vary all the time. The current setup with webdirect requires several concurrent user licences and has become cost prohibitive for such a small part of the overall system.



I considering building a web app using something one of the may HTML/JS frameworks and hosting it in the httpsroot directory.

This means no additional web server is needed,

The data  transmission is all encrypted using the SSL cert I've installed in FMS.

And no triggering of cross origin site scripting protections.

All seems like a nice way to get it going.



I'm concerned about security.

Lets say I want to have my web page show "Hello Joe"

To know it's Joe I do REST call to my staff_rest layout searching for the accountname that was provided for login. It returns the users name and maybe some other details.


But once a user is logged in - what's to stop them from hacking the client side web code and executing a REST call to that same layout returning all users names, their account names, and the other info in the layout?


Am i being over sensitive on security here, is this just so ridiculously difficult it wouldn't happen in a small business situation.

Or Is there a way to secure data better when using the rest api?