I’ve spend a lot of time writing web services on the many projects I’ve worked on. Over the years of working on these I’ve developed my own set of best practices for developing them. One of the important aspects I always cover is security. This article covers a simple step you can take in your
web.config to disable the web service test page (the ASMX page).
Web.config Tweak to Remove Web Service Protocols
Open up your web.config and add the following snippet in:
<webServices> <protocols> <remove name="HttpGet" /> <remove name="HttpPost" /> <remove name="HttpPostLocalhost" /> </protocols> </webServices>
You may still access the web services by consuming them via an application, but navigating to the ASMX test pages will no longer show a form that you can fill out to send test data. This is a simple step you can take to prevent unauthorized execution from the test page but it’s no where near as secure as it should be. Stay tuned as I’ll follow up on this topic with more things you can do to secure web services. The next topic will be on implementing SOAP headers for authorization to web services. Think of these SOAP headers as additional metadata sent to the web service to authorize a client by username and password.