Please be careful when using web connections:

I think for most users this is probably a given, however, I’ve just seen something used practice which I thought was a little risky.

When using web connections in FME, FME is not checking the hostname when making the request to an end point. This is true at least for some types of FME Server web connections but I assume it’s also true for others. 

If you have defined a service which uses a web connection you should only use that web connection when you actually need it. 

For example if you are dynamically requesting a list of URLs and only one of them requires authentication do not use the web connection for every request - especially if it’s to a different host. You will be sending the token or (in the case of basic HTTP Authentication) the username and password to those other servers. If you are not even checking the list of URLs then of course you could be making requests and sending out your credentials to who knows where.