Do Not Pass Sensitive Information In SOAP Headers When Using Http Transport and Message Security

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Do not use message security if you need to pass sensitive information in soap headers over http protocol. Use transport security instead to protect sensitive data passed in soap headers, such as user identities passed for auditing purposes.

Information contained in the SOAP headers is sent in plain text and can be stolen if you use message security. Soap header information is signed by default using message security, so the information can be read but cannot be spoofed.

Additional Resources

Last edited Jun 12, 2008 at 11:23 PM by prashantbansode, version 1


No comments yet.