ASP.net - web services - only accessible over localhost

Question

I am working on a site that exposes a set of webservices within a folder in the site:

services
--- servicea.asmx
--- serviceb.asmx

These services are set up to allow some interoperability with other sites that we control, and these all reside on the same server.

The site uses asp.net forms based authentication, but the services folder has been exempted from this and each service performs it's own authentication when calling a method, and checks that he access is from a local address only, and this works fine.

However, if I access services/servicea.asmx from an external address, I can still see a list of the methods available. I cannot effectively call any of these methods from an external address, which is as it should be, but I'm not comfortable exposing our internal API like this. Is there any way to stop an asmx file from responding with a list of methods when accessed outside the box?

Answer 1

You should be able to add the following to your web.config:

<system.web.services>
    <protocols>
        <remove name="Documentation"/>
    </protocols>
</system.web.services>

This should hide the service description page.

See http://msdn.microsoft.com/en-us/library/b2c0ew36%28v=vs.100%29.aspx for more information - note that this also prevents the client from generating a WSDL proxy class, so it can be a real barrier to ease of implementation.

Hiding the method names is no substitute for security though so you might want to consider if you need to do this or not.