Locking Down Web Services: Http-Get and Http-Post

Web services are all the rage these days, and with good reason. While

they are neither a panacea nor appropriate in all situations, they do

solve some gnarly problems in distributed applications. But they are yet

another exposed portal into your servers so that care is necessary to

prevent the bad guys from screwing up your system. One of the basic

principles of security is to provide only the services that are

absolutely necessary on a server, since each provides a potential entry

point for attack. For example, if a Web server isn't using FTP for file

transfer, FTP should be removed from the system.

The Simple Object Access Protocol, SOAP, which underlies most Web

service implementations is designed to work with essentially any network

protocol. Most commonly it is used with HTTP to transfer SOAP envelopes

with a request or response payload. But that is not a limitation of

SOAP. By default, Web services created with Microsoft's ASP.NET enable

three SOAP bindings: Http-Soap, Http-Get, and Http-Post. Http-Soap

generally provides the richest functionality of the three and is likely

to be the binding of choice for production Web services. This means that

you should disable Http-Get and Http-Post so that they don't provide an


ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon