I know TransportCredentialOnly security mode is not secure. The TransportCredentialOnly security mode option passes the user credentials without encrypting. It is really confusing me, when should we use this security mode in BasicHttpBinding ??
Asked
Active
Viewed 1,474 times
0
-
TransportCredentialOnly will send the credentials in plain text and unencrypted. It is recommended for TESTING only. – Odrai Dec 03 '17 at 15:43
-
Possible duplicate of [What are the differences between security mode="Transport" and security mode="TransportCredentialOnly"](https://stackoverflow.com/questions/4481131/what-are-the-differences-between-security-mode-transport-and-security-mode-tr) – Odrai Dec 03 '17 at 15:46
1 Answers
0
TransportCredentialOnly can be useful if the transport security is provided at a lower level than HTTPS (e.g. using IPSec) (ref: https://msdn.microsoft.com/en-gb/library/ff648505.aspx)
This might be the case if you're using a load balancer to provide HTTPS to the clients, but using HTTP between the load balancer and your backend servers. You could use TransportCredentialOnly on the service bindings and Transport on the client bindings.
velsietis
- 73
- 6