How to avoid proxy spoofing

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

To avoid proxy spoofing at the time of adding a WCF Service Reference:
  • Publish metadata securely, over https. Use the mexHttpsBinding and configure a server certificate for the service. The following configuration shows how to publish metadata securely:
<serviceMetadata httpGetEnabled="False" httpsGetEnabled="True"/>
  • If you are required to use mex endpoint instead of exposing your service reference using httpGet, use a secure binding. Use any standard binding (which has security features) you want for the MEX service endpoint, the only requirement is to use the IMetadataExchange contract. It will require to use a custom serviceutil.exe.config file to generate the proxy

To avoid proxy spoofing at runtime
  • Make sure your WCF service’s uses mutual authentication, mutual authentication is enforced when using either message or transport security.
  • If you are using basicHttpBinding by default it does not use any security, make sure its configured to use either transport or message security.
  • Do not rely on NTLM protocol for authentication. NTLM does not provide with mutual authentication.

Last edited Jun 13, 2008 at 8:16 PM by prashantbansode, version 1


No comments yet.