Protection Level In WCF

Table of Contents

  • Introduction
  • Available Parameters for Protecting Data
  • Protection Level
  • Configuring Protection Level
  • Declaration
  • ProtectionLevel.None
  • ProtectionLevel.Sign
  • ProtectionLevel.EncryptedAndSign
  • Summary


In the modern world when we communicate with different persons and firms in our day to day life to get our business done,  we are always concerned about the confidentiality and integrity of the information we send. Often we send information which is highly secure for the business, in a few cases we send information which is not secure or it might be irrelevant to the business. Ok, lets talk about it in detail with  WCF technology.

Available Parameters for Protecting Data

Sign – It confirms the message has not been tampered or changed by anyone. It signs all the messages on the wire to provide the message integrity.

Encrypt and Sign – It conforms the message we send is confidential and it has not been tampered anywhere by anyone.

Protection Level

Protection Level = Throttle (Control) Message Protection

By default WCF protects all the messages  to provide the data confidentiality and message integrity. If the developer wants to control the flow of message protection, Protection Level will be an ideal option. Yes in a few scenarios, messages are not required to be secure since it doesn’t have any sensitive information, In a few scenarios messages should transmit only in a secure mode. For these sets of things, WCF provides a flexible approach called ‘Protection Level.’  The developer can set their messages which require message integrity or message confidentiality or both.

If the data is not sensitive over the wire, then I will recommend you to set the Protection Level as None because it produces a greater performance. Of course, Encryption or Sign will definitely take additional time in every request and response. Message contracts also support a way to override the protection level for the operation.

Configuring Protection Level

The supported message protection levels in the WCF are:

  • ProtectionLevel. None
  • ProtectionLevel. Sign
  • ProtectionLevel. EncryptAndSign

The Protection levels can be done at all the levels:

  • Service Contract
    • Operation Contract
      • Message Contract
        • Message Header
          • Message Body
If we are defining our protection level at the top level, it is applicable till the root level unless otherwise if we are overriding it in the root level . You can define it like ProtectionLevel is EncryptAndSign in the top level (Service Contract) and override it in the bottom level (Operation Contract) like ProtectionLevel is None. The developer has a flexible approach for controlling the message protection across all levels.


In the above snapshot you can find out if the protection level has to be declared over the service method. For the method GetStringData I have made it as a Sign, because I don’t care about the confidentiality here, but I care for the message integrity, that’s why I have chosen Protection Level. Sign.

For the GetDetailedData method I have set the Protection Level as ProtectionLevel. None, though my service contract Protection Level is   configured as ProtectionLevel. EncryptAndSign because I don’t want to protect this method’s message on the wire.

For the GetIntData method, I didn’t say anything about the Protection Level, Then What will be the Message Protection Level? Of course it will take the Protection level we said in the Service contract level.


The following is the snapshot of the message flow if we set the ProtectionLevel.None.

You can find that the values are transmitted over the wire as a plain text. There is no encryption or Sign. Because we have mentioned the Protection Level is None, Kindly refer App. config of the Service Library, which is enclosed, you can determine the ways to generate the logs. Once it generated have a look on the messages. Svclog.


The following is the snapshot of the message flow if we set the ProtectionLevel.Sign.

You can find that Data Integrity is maintained, but the confidentiality is not maintained. Signature information in the above snapshot will take care of the Data Integrity related things, In the body of the message in the above snapshot you can determine the messages were plain and not encrypted.


The following is the snapshot of the message flow if we set the ProtectionLevel.EncryptedAndSign.


If you find the body of the message, you can find that messages were encrypted and signed. By setting the different ProtectionLevel in different levels we can make our service more efficient and responsive.


If the message sent over the wire is not an important one, Then you can set the protection level as None for all your service messages, it increases the performance. Protection levels can be set in the Service Level, Operation Level, Message Level, Header Level and Body Level.

Similar Articles