Tuesday, November 18, 2008

Disabling Discovery

Microsoft WCF 3.5: How to Stop Clients from Referencing Your Service

If you want block clients from accessing the WSDL of your service you should remove all metadata exchange endpoints and set the httpGetEnabled and httpsGetEnabled attributes to false.

If the metadata is exposed, unwanted clients will be able to generate proxy files (e.g. using SvcUtil.exe) and inspect potentially sensitive methods and parameters offered by the service.

To stop your clients from referencing your service, stop your service from publishing its metadata. To do this, remove all the Mex endpoints from your service configuration and configure HttpGetEnabled and HttpsGetEnabled to false in the ServiceBehavior section as shown below:

serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"

No comments:

Post a Comment