Cross Origin support for the FileMaker Data API

CORS, FileMaker, FileMaker Data API

Cross Origin support for the FileMaker Data API

If you want to be able to access the FileMaker Data API directly from JavaScript running in a client browser you’ll need to set additional headers to support CORS (Cross Origin Request Sharing).

Think carefully about how you configure this, since you may not want to open your FMS to all locations, so consider what you add as the allowed origins. If you really want ‘everyone’ then use *, otherwise limit this to specific domain(s) on which you will serve content.


  1. Open /Library/FileMaker Server/HTTPServer/conf/httpd.conf.2.4 in your favourite text editor
  2. Locate the entry <Location “/fmi”> likely around line 459
  3. At the bottom of that declaration (just before </Location>) add the following lines (setting the Allow-Origin header as appropriate for your environment).
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Access-Control-Allow-Origin, Authorization"
    Header always set Access-Control-Allow-Methods "PATCH, GET, POST, DELETE, OPTIONS"
    RewriteEngine On
    RewriteRule ^(.*)$ $1 [R=200,L]
  4. Save the file, and restart FileMaker apache with
    sudo /Library/FileMaker\ Server/HTTPServer/bin/httpdctl graceful

By way of explanation – the first three lines are returning headers which tell the browser that it’s allowed to connect if the code is being run from the ‘Allow-Origin’ location. It then lists the headers which are allowed to be sent. The third header defines the methods which are supported.

The last three lines are necessary for the CORS preflight check. Essentially what happens when a browser goes to make a CORS request is that it issues an OPTIONS HTTP request, and then inspects the returned headers. The /fmi location is acting as a proxy to a component of FileMaker server which doesn’t know what to do with the OPTIONS method, so we use a simple rewrite rule to return a 200 ‘success’ status code. The always in the three headers being set means that they are also returned with the status code, so the browser knows what it’s allowed to do.


Begin by reading the IIS CORS module Configuration Reference in which you will see that this module makes things quite a bit easier for us to manage the configuration, not-least because it handles the preflight check for us!

  1. Using the Web Platform Installer install the CORS module for IIS (if not already installed). You might have to restart the server (not just IIS) to complete this installation
  2. Open C:\Program Files\FileMaker\FileMaker Server\HTTPServer\conf\web.config in your favourite text editor (you may want to make a backup first, just in case 😉
  3. At the bottom of the file, just before </system.webServer>
    <cors enabled="true" failUnlistedOrigins="true">
      <add origin="*">
        <allowHeaders allowAllRequestedHeaders="true" />
          <add method="GET" />
          <add method="PATCH" />
          <add method="POST" />
          <add method="DELETE" />
  4. Save the file and restart the FMWebSite virtual host

I’m less familiar with IIS than, but it seems to be that this is enabling CORS across your entire FMWebSite, rather than just the /fmi virtual folder which is being done in OS X, which again, may not be the best idea – if you’re more familiar with IIS configuration and know how to adjust things accordingly please let us know!

  • belleAlino says:

    Hi :). I am from Netherlands and i don’t know how can i disable my signature? Regards 🙂

    April 12, 2020 at 9:51 am
  • jondul says:

    Hi! Thank you for article. When I do this on my server and go to restart FileMaker Apache, I get this message “httpd.conf.2.4 is not linked, link it to httpd.conf” – and then it does not appear to have enabled CORS. Does anyone know what that means and how to fix it?

    July 25, 2020 at 6:38 pm

Leave A Comment