Publish Your WCF Service Metadata Only When Required

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Set the httpGetEnabled and httpsGetEnabled attributes to False on the serviceMetadata element, and remove any endpoints configured on your service that implement IMetadataExchange contracts.

This is especially important after your clients are built and deployed, and if you don’t need other clients to discover and use the WCF service. If the metadata is exposed, unwanted clients will be able to generate proxy files (e.g. using SvcUtil.exe) and inspect potentially sensitive methods and parameters offered by the service. If your client programs already have access to the service proxy, set the httpGetEnabled attribute to false.

The following configuration disables sharing service metadata:
<serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"/>

Additional Resources

Last edited Jun 12, 2008 at 11:32 PM by prashantbansode, version 1

Comments

No comments yet.