Hiding my WCF service?

Question

I have a WCF service hosted on IIS6 and I am using .net framework 3.5. The site I have is on public domain I mean anybody can access from anywhere.

My question is, is there a way to hide my WCF service? I can easily view source my page or know exactly the the path of my service behind the page...

http://hostname.MyServiceName.svc?wsdl, how can I hide it?

score 11 · Accepted Answer · answered Dec 05 '10 at 20:28

Agreeing with David that just "obscuring" your service is less than half the solution, you can of course turn off

service metadata
http availability of your WSDL file

Do to do, make sure your <service> tag isn't referencing a <serviceBehavior> that includes the <serviceMetadata> tag.

So this will expose service metadata (including WSDL over HTTP):

<behaviors>
   <serviceBehaviors>
      <behavior name="default">
         <serviceMetadata httpGetEnabled="True" />
         <serviceDebug includeExceptionDetailInFaults="True" />
      </behavior>
</serviceBehaviors>
<behaviors>
<services>
   <service name="IYourService" behaviorConfiguration="default">
      ...
   </service>
</services>

while this will not expose any service metadata (observe the removal of the <serviceMetadata> tag):

<behaviors>
   <serviceBehaviors>
      <behavior name="nometadata">
         <serviceDebug includeExceptionDetailInFaults="True" />
      </behavior>
</serviceBehaviors>
<behaviors>
<services>
   <service name="IYourService" behaviorConfiguration="nometadata">
      ...
   </service>
</services>

When removing any service metadata, you won't be able to do Add Service Reference from within Visual Studio (or the equivalent thereof for any of the other development systems) anymore - the service just won't tell you what is available - you have to know some other way.

`you have to know some other way` what is the other way to know? — Nick Kahn, Dec 06 '10 at 00:15
@Chicagoland: you could provide written documentation, or you could supply a ready-made client proxy for your service as a e.g. .NET Assembly — marc_s, Dec 06 '10 at 06:02
Good idea; hadn't occurred to me. Still, sniffing an AJAX call or other request will reveal the methods, signatures, etc. — 3Dave, Dec 06 '10 at 11:50
@David Lively: yes, sure - I agreed with you - this is security through obscurity which is **never** a really good defence against intruders - it's at best a first step... — marc_s, Dec 06 '10 at 16:23

score 5 · Answer 2 · answered Dec 05 '10 at 20:03

This goes back to the old "security through obscurity" debate. Hiding your service isn't a good or effective way to secure it. Look into using SSL and a real authentication method rather than just attempting to "hide" it.

Also, to answer your question more directly: if the browser knows your service address (and it must in order for your pages to call it via JavaScript or what have you), it's an easy task for anyone to find it. No matter how much you try to hide the URL in your page source, it's a simple matter of monitoring the HTTP transactions in Fiddler or Firebug to see both the service address and the format/contents of the request.

I'd add that given a chance some bot will discover it. – Preet Sangha Dec 05 '10 at 20:05 — Preet Sangha, Dec 05 '10 at 20:05

score -1 · Answer 3 · answered Oct 01 '12 at 14:09

-1

Why do you want to hide your service? is someone finding it a real problem, or are you just trying to protect yourself?

There are lots of strategies for protecting yourself... but if it's just a casual 'don't want people to use my service' then just change the API every now and then. Nothing says 'stop it' like a randomly changing API.

answered Oct 01 '12 at 14:09

Anon

11

If the service needs to be secured then I'm not convinced some random switching would really do that. You are probably only annoying yourself. – Buh Buh Oct 02 '12 at 14:55

Hiding my WCF service?

3 Answers3

Linked