If You Don’t Want to Expose Your WSDL, Turn off HttpGetEnabled and Remove Metadata Exchange (mex) Endpoints

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

If you want to block clients from accessing the WSDL of your service you should remove all metadata exchange endpoints and set the httpGetEnabled and httpsGetEnabled attributes to false.

This is potentially important after your clients are built and deployed, if you don’t want other clients to discover and use the WCF service. If the metadata is exposed, unwanted clients will be able to generate proxy files (e.g. using SvcUtil.exe) and inspect potentially sensitive methods and parameters offered by the service. If your client programs already have access to the service proxy, set the httpGetEnabled attribute to false.

The following configuration disables sharing service metadata:
<serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"/>

Additional Resources

Last edited Jun 12, 2008 at 9:23 PM by prashantbansode, version 1


No comments yet.