Reputation: 33143
Why are SOAP and GET disabled in asmx webservices by default?
I'm about to turn on the missing protocols for my asmx webservices. They're already behind two layers of authentication and has a role checking attribute, so otherwise it is secure.
This MS KB article explains GET and SOAP are disabled for asmx by default, while POST is enabled by default, but doesn't say why other than "security reasons." Is this just superstition? Why did they do that? It seems that having POST enabled is just as insecure as having GET enabled.
I suppose this reduced the attack surface, but disabling everything until someone invokes the webservice by a particular protocol would be even more secure than leaving POST enabled.
Upvotes: 0
Views: 1931
Answers (1)
Reputation: 161773
The actual link is INFO: HTTP GET and HTTP POST Are Disabled by Default .
The GET and POST protocols cannot support SOAP Headers. These are required by many services for security purposes.
Additionaly, these protocols are not used that often for pure SOAP Services (as the protocol specifies the use of POST). Having them open leaves a door open that nobody will be watching. Bad people may sneak in.
Upvotes: 1
Related Questions
- Extra clases in asmx soap webservice
- What is the difference between SOAP and ASMX
- Web Service without the .asmx extension
- Enable ASP.NET ASMX web service for HTTP POST / GET requests
- ASMX not throwing SOAP faults
- Why do asmx web services have a markup file?
- If SOAP is an XML based protocal used by WebServices why an .asmx service returns JSON?
- ASMX web-services and HTTP GET
- ASMX Web Services with SOAP Extension
- ASMX WebServices issue