How to: Disable Protocol Support for Web Services
To help reduce the risk of inadvertent invocation of a Web service, you should disable protocol support when it is not required. You can disable protocol support for the whole machine or for individual Web applications.
To disable HTTP-GET and HTTP-POST protocols for the whole machine
Open the Machine.config file in a text editor. (The default installation places Machine.config in the \Config subdirectory of the installation root.)
Comment out the lines within the
webServices
section that add support for HTTP-GET and HTTP-POST, if they exist. After doing so, thewebServices
section should look like the following:<webServices> <protocols> <add name="HttpSoap"/> <!-- <add name="HttpPost"/> --> <!-- <add name="HttpGet"/> --> <add name="Documentation"/> <add name="HttpPostLocalhost"/> </protocols> </webServices>
Save Machine.config.
This configuration change takes effect on the next request to a Web service hosted on that machine.
To disable support for a protocol for an individual Web application
Open the Web.config file in the root directory of the Web application in a text editor. (If a Web.config file does not exist, create one.)
Modify the
webServices
section of Web.config to explicitly remove the protocol setting. The following example explicitly removes the HTTP-POST and HTTP-GET protocols:<webServices> <protocols> <remove name="HttpPost" /> <remove name="HttpGet" /> </protocols> </webServices>
Save Web.config.
This configuration change takes effect on the next request to a Web service hosted by the Web application.
See Also
Tasks
How to: Disable the Service Help Page for a Web Service
Concepts
Configuration Options for XML Web Services Created Using ASP.NET
Deploying XML Web Services