How do you go about securing your web service when moving it to production? In other
words how do you hide the description of web service and the generation of the wsdl
when someone browses to the .asmx page or requests for the wsdl using .asmx?wsdl.
The fix is quite simple but doesn’t seem to be well documented (this should
be one the best practices for web services).
Anyway it’s quite simple to fix. Simply add the following to your web.config
file and presto everything is hidden.
<?xmlversion="1.0"encoding="utf-8"?>
<configuration>
<system.web>
<!--
HIDE THE DOCUMENTATION FOR THE WEB SERVICE
-->
<webServices>
<protocols>
<removename="Documentation"/>
</protocols>
</webServices>
</system.web>
</configuration>
But if you want to remove the error page and instead show your own custom page or
need more fancy stuff like allowing the wsdl to be generated in your development but
not on production then go check this article on
15seconds.com.