From Contract to Endpoint: Where Security Attaches
A WCF endpoint is the combination of an Address, a Binding, and a Contract (the ABC of WCF), and security is primarily a property of the binding — but real endpoint hardening spans more than just the <security> element. A serviceBehaviors configuration controls whether metadata (WSDL) is exposed publicly via httpGetEnabled, whether unhandled exception details leak to callers via includeExceptionDetailInFaults (which should always be false in production, since stack traces can reveal internal type names, file paths, and SQL fragments), and how service certificates are attached. Authorization is a separate concern from authentication entirely: WCF supports declarative role-based checks via PrincipalPermissionAttribute on operation contracts, or a more flexible ServiceAuthorizationManager override for claims-based or resource-specific authorization logic that runs after the caller's identity has already been established by the binding's security settings.
Cricket analogy: The ABC of WCF is like a match being defined by venue, format, and teams — but real ground security involves more than just the perimeter fence, it includes controlling what information the ground announcer reveals (metadata) and vetting pitch access separately from stadium entry (authorization vs authentication).
Locking Down Metadata and Exceptions
By default, a WCF service created from the Visual Studio templates often leaves httpGetEnabled="true" on the serviceMetadata behavior, publishing a full WSDL document at ?wsdl that describes every operation, parameter, and data contract — extremely convenient during development but a reconnaissance goldmine for an attacker in production, so it should be disabled or restricted to an internal-only endpoint once the service is stable and documented elsewhere. Similarly, includeExceptionDetailInFaults="true" causes unhandled .NET exceptions to be serialized back to the caller as a full stack trace inside the SOAP fault, which is invaluable for debugging locally but leaks implementation details (assembly names, file paths, sometimes connection strings embedded in exception messages) to any caller in production; the correct pattern is to catch expected exceptions explicitly and translate them into typed FaultContract-based faults that expose only the information the caller legitimately needs.
Cricket analogy: Leaving httpGetEnabled on in production is like leaving the team's full strategy playbook posted publicly at the stadium entrance — great for teammates during training, but a gift to the opposition on match day.
Operational Hardening Checklist
Beyond binding-level security, a genuinely hardened WCF endpoint layers in throttling via ServiceThrottlingBehavior (MaxConcurrentCalls, MaxConcurrentSessions, MaxConcurrentInstances) to prevent a single misbehaving or malicious client from exhausting server resources; message size and complexity limits via MaxReceivedMessageSize and the ReaderQuotas element (MaxDepth, MaxStringContentLength, MaxArrayLength) to prevent XML-bomb-style denial-of-service attacks where a small malicious payload expands into gigabytes of memory during parsing; and audit logging via WCF's built-in message logging or a custom IDispatchMessageInspector to record who called what operation and when, which becomes essential evidence during incident response. None of these settings are covered by the security mode or clientCredentialType alone — they are configured independently and are frequently the gap between a service that's 'secure' on paper (correct auth/encryption) and one that's actually resilient under real-world attack traffic.
Cricket analogy: Throttling is like a stadium capping how many people can enter through one turnstile per minute regardless of how legitimate their tickets are, preventing a crush even when every single person has a valid pass.
<behaviors>
<serviceBehaviors>
<behavior name="hardenedBehavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceThrottling maxConcurrentCalls="32"
maxConcurrentSessions="64"
maxConcurrentInstances="64" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="hardenedBinding" maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384" maxBytesPerRead="4096" />
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>Correct security mode and clientCredentialType only protect the channel and verify identity — they do nothing to stop resource-exhaustion attacks. A properly authenticated, properly encrypted endpoint with default ReaderQuotas and no throttling can still be taken down by a small, well-formed but deeply nested malicious payload.
- Endpoint security spans more than the <security> element: metadata exposure, exception details, throttling, and message quotas all matter.
- Disable httpGetEnabled (or restrict it) in production to avoid publishing a full WSDL reconnaissance map.
- Set includeExceptionDetailInFaults to false and translate exceptions into typed FaultContract faults instead.
- Authorization (what a caller can do) is separate from authentication (who a caller is) and needs its own configuration.
- ServiceThrottlingBehavior prevents a single client from exhausting server resources via excessive concurrent calls.
- ReaderQuotas and MaxReceivedMessageSize defend against XML-bomb-style denial-of-service payloads.
- A fully authenticated and encrypted endpoint can still be brought down by resource-exhaustion attacks if throttling and quotas are left at unsafe defaults.
Practice what you learned
1. Why should httpGetEnabled be disabled on a production WCF service?
2. What is the risk of leaving includeExceptionDetailInFaults set to true in production?
3. What does ServiceThrottlingBehavior protect against that security mode configuration does not?
4. What is the purpose of ReaderQuotas settings like MaxDepth and MaxStringContentLength?
Was this page helpful?
You May Also Like
WCF Security Modes
An overview of the five security modes WCF bindings expose — None, Transport, Message, TransportWithMessageCredential, and TransportCredentialOnly — and when to use each.
Transport vs Message Security
A deep comparison of how WCF's transport-level and message-level security mechanisms actually protect data, and the trade-offs between them.
Authentication in WCF
How WCF authenticates callers via clientCredentialType options across transport and message security, including Windows, Certificate, UserName, and IssuedToken.
Related Reading
Related Study Notes in Microsoft Technologies
Browse all study notesWindows 10 / UWP Development Study Notes
.NET · 30 topics
Microsoft TechnologiesWindows Batch Scripting Study Notes
Batch · 30 topics
Microsoft TechnologiesMFC (Microsoft Foundation Classes) Study Notes
C++ · 30 topics
Microsoft TechnologiesSilverlight Study Notes
.NET · 30 topics
Microsoft TechnologiesXAML Study Notes
.NET · 30 topics
Microsoft TechnologiesWPF (Windows Presentation Foundation) Study Notes
.NET · 30 topics