Few lines about WCF metadata
What is WCF metadata?
WCF generates metadata for service endpoints and this metadata is used to describe how to interact with the service’s endpoints. This information is used by Svcutil.exe to generate proxy for accessing the service.
WCF metadata is exposed by one or more metadata endpoints similar to service endpoints. They have an address, a binding, and a contract.
This information is sent over standard protocols, such as WS-MetadataExchange (MEX) and HTTP/GET requests.
Also, Metadata can be added to a service host through configuration or imperative code.
We can see the below example for adding metadata endpoints to the service in the configuration file.
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
What are the bindings available for Service Metadata?
- mexHttpBinding for HTTP protocol.
- mexHttpsBinding for HTTPS security layer.
- mexNamedPipeBinding for named pipe.
- mexTcpBinding for TCP protocol.
Can Service Metadata be tampered?
- Service metadata can be tampered with or spoofed.
- Spoofed data can be used to redirect client to a malicious service.
- Metadata documents can be large and are frequently saved to the file system.
How to protect Service Metadata?
- Use a secure binding to request service metadata.
- Publish service metadata over HTTPS, use mexHttpsBinding and configure a server certificate for the service.