How to Stop Clients from Referencing Your Service
- J.D. Meier, Carlos Farre, Jason Taylor,
Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher
If you want block clients from accessing the WSDL of your service you should remove all metadata exchange endpoints and set the httpGetEnabled and httpsGetEnabled attributes to false. If the metadata is exposed, unwanted clients will be able to generate proxy
files (e.g. using SvcUtil.exe) and inspect potentially sensitive methods and parameters offered by the service.
To stop your clients from referencing your service, stop your service from publishing its metadata. To do this, remove all the Mex endpoints from your service configuration and configure HttpGetEnabled and HttpsGetEnabled to false in the ServiceBehavior section
as shown below:
<serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"/>