Locking Down Web Services: Http-Get and Http-Post

By Don Kiely, ITworld |  How-to

Web services are all the rage these days, and with good reason. While
they are neither a panacea nor appropriate in all situations, they do
solve some gnarly problems in distributed applications. But they are yet
another exposed portal into your servers so that care is necessary to
prevent the bad guys from screwing up your system. One of the basic
principles of security is to provide only the services that are
absolutely necessary on a server, since each provides a potential entry
point for attack. For example, if a Web server isn't using FTP for file
transfer, FTP should be removed from the system.

The Simple Object Access Protocol, SOAP, which underlies most Web
service implementations is designed to work with essentially any network
protocol. Most commonly it is used with HTTP to transfer SOAP envelopes
with a request or response payload. But that is not a limitation of
SOAP. By default, Web services created with Microsoft's ASP.NET enable
three SOAP bindings: Http-Soap, Http-Get, and Http-Post. Http-Soap
generally provides the richest functionality of the three and is likely
to be the binding of choice for production Web services. This means that
you should disable Http-Get and Http-Post so that they don't provide an
entr

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness