Hiding my WCF service?

Question

I have a WCF service hosted on IIS6 and I am using .net framework 3.5. The site I have is on public domain I mean anybody can access from anywhere.

My question is, is there a way to hide my WCF service? I can easily view source my page or know exactly the the path of my service behind the page...

http://hostname.MyServiceName.svc?wsdl, how can I hide it?

Answer 1

Agreeing with David that just "obscuring" your service is less than half the solution, you can of course turn off

• service metadata
• http availability of your WSDL file

Do to do, make sure your <service> tag isn't referencing a <serviceBehavior> that includes the <serviceMetadata> tag.

So this will expose service metadata (including WSDL over HTTP):

<behaviors>
   <serviceBehaviors>
      <behavior name="default">
         <serviceMetadata httpGetEnabled="True" />
         <serviceDebug includeExceptionDetailInFaults="True" />
      </behavior>
</serviceBehaviors>
<behaviors>
<services>
   <service name="IYourService" behaviorConfiguration="default">
      ...
   </service>
</services>

while this will not expose any service metadata (observe the removal of the <serviceMetadata> tag):

<behaviors>
   <serviceBehaviors>
      <behavior name="nometadata">
         <serviceDebug includeExceptionDetailInFaults="True" />
      </behavior>
</serviceBehaviors>
<behaviors>
<services>
   <service name="IYourService" behaviorConfiguration="nometadata">
      ...
   </service>
</services>

When removing any service metadata, you won't be able to do Add Service Reference from within Visual Studio (or the equivalent thereof for any of the other development systems) anymore - the service just won't tell you what is available - you have to know some other way.

Answer 2

This goes back to the old "security through obscurity" debate. Hiding your service isn't a good or effective way to secure it. Look into using SSL and a real authentication method rather than just attempting to "hide" it.

Also, to answer your question more directly: if the browser knows your service address (and it must in order for your pages to call it via JavaScript or what have you), it's an easy task for anyone to find it. No matter how much you try to hide the URL in your page source, it's a simple matter of monitoring the HTTP transactions in Fiddler or Firebug to see both the service address and the format/contents of the request.