ASP.NET WCF metadata enabled for behavior
Description
The application's WCF (Windows Communication Foundation) service is configured to publicly expose service metadata through the serviceMetadata behavior with httpGetEnabled or httpsGetEnabled set to true. This configuration allows anyone to retrieve detailed service information including WSDL (Web Services Description Language) documents, which describe the service's methods, parameters, data types, and endpoints without authentication.
Remediation
Disable public service metadata publishing in production environments by setting both httpGetEnabled and httpsGetEnabled to false in the service behavior configuration. If metadata access is required for legitimate purposes (such as client proxy generation during development), restrict access using authentication mechanisms or limit exposure to internal networks only.
Update the service behavior configuration in your web.config or app.config file:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
After making this change, restart the application or recycle the application pool to ensure the configuration takes effect. For development environments where metadata is needed, consider using separate configuration files or transformation rules to ensure metadata publishing is disabled in production deployments.