Selecting Security Mode Levels for WCF Services

The binding determines which security protocol is used to protect communications. The properties that are available depend on which binding you are using.

Transport level

The specific protocol that is used to deliver transport-level security depends on the binding that you choose. For example, if you select basicHttpBinding and choose transport-level security, the binding will use HTTPS. However, if you are using netTcpBinding, setting the security mode to Transport will cause WCF to use Transport Layer Security (TLS) over TCP or the Simple and Protected GSS-API Negotiation (SPNEGO). In some cases, you may have to make configuration changes to the system on which the client application or service is running, such as installing an SSL certificate.

Message level

When you select message-level protection, WCF uses the WS-Security protocols to protect the message contents that are inside the SOAP message. By default, WCF signs and encrypts message contents when you select the Message security mode.

You must assess the advantages and disadvantages of choosing message-level security or transport-level security when you design your application. For example, message-level security requires more resources and is usually slower than transport-level security, but it does secure the message end to end.

There are various algorithms that you can use to encrypt messages and create digital signatures. Each one has its own set of properties in terms of level of security and speed of execution. You can use the algorithmSuite property to set the message encryption and key-wrap algorithms. The properties of the SecurityAlgorithmSuite class expose the possible algorithms. These algorithms correspond to those that are specified in the WS-SecurityPolicy specification. The default algorithm is Basic256

The following code examples show two ways in which you can set the security mode levels for a binding.

[Visual Basic]

Dim binding As New BasicHttpBinding(SecurityMode.Transport)


' Alternatively, set the mode property.

binding.Security.Mode = BasicHttpSecurityMode.Transport



[Visual C#]

BasicHttpBinding binding =

                         new BasicHttpBinding(SecurityMode.Transport);


// Alternatively, set the mode property.

binding.Security.Mode = BasicHttpSecurityMode.Transport;



The following code example shows how to set message-level security by using a configuration file.



  <binding name=“bankInteropBinding">

    <security mode="Message">

      <message clientCredentialType="Certificate"

                      algorithmSuite="Basic256Rsa15" />






The following code examples show how to set message-level security by using a configuration file.

[Visual Basic]

Dim binding As New BasicHttpBinding(SecurityMode.Message)


' or alternatively

binding.Security.Mode = BasicHttpSecurityMode.Message


' and then

binding.Security.Message.AlgorithmSuite = _


binding.Security.Message.ClientCredentialType = _




[Visual C#]

BasicHttpBinding binding =

    new BasicHttpBinding(SecurityMode.Message);


// or alternatively

binding.Security.Mode = BasicHttpSecurityMode.Message;


// and then

binding.Security.Message.AlgorithmSuite =


binding.Security.Message.ClientCredentialType =




For more information, see Transport Security, Message Security in WCF, and [Algorithm Suite] Property